-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] PublicClientApplication acts like confidential client application #818
Comments
Hello @ShmuelCammebys : Just some clarifications:
That 'AADSTS' is an error message coming directly from the token service rather than from our library, so my first guess is a configuration issue in Azure. If you ran your code immediately after configuring the app then maybe the config was slow to propagate? You can also check the 'Manifest' tab to see if the 'allowPublicClient' field is set to true. |
This has been happening for months after we changed the configuration. I'd prefer to take this as far as I can before having to contact the security/DevOps team about the Azure config, but if more info is needed, so be it. |
I'm not too familiar with the implementations for MSAL iOS and Android, but historically the MSALs for mobile scenarios work a bit differently so that setting might not be required for them. Just looking at one of Android's samples and one for macOS I noticed that the instructions don't mention that "Allow public client flows" setting. Since there is different platform config options for "Mobile and desktop applications" (iOS/Android) and "Web applications" (more common for Java, .NET, Python, etc.) at least some config in Azure is difference for these scenarios. I can't find good documentation covering exactly when that public client flows setting should be used, but just from experience my understanding was that it's needed for any public client scenario so it may be the missing piece here. Can you confirm whether or not it's enabled for your app? |
Not really. That "allow public client flows" was historically used to enable username password flow and/or device code flow for confidential clients. Mobile platforms like iOS and Android do not require this setting to work.
@ShmuelCammebys , do you have a redirect URI |
@ShmuelCammebys , no, I mean this setting. There shouldn't be a web platform with |
@ShmuelCammebys It looks like I got some public client flows mixed up, and interactive flow is one where you don't need that 'allow public client' config, and like @rayluo said having a "Web application" platform is also incorrect. I just did some testing to confirm, this is the config that worked for me:
|
@rayluo Yes, there was a SPA redirect URI to localhost. However, when the redirect URI for desktop was set to http://localhost:55259/desktop, MSAL4J hangs at |
I haven't personally tried it, but I suppose SPA does not require a redirect URI in the Web platform either. If there is no other usage for a Web platform, @ShmuelCammebys, can you simply delete the
That might be a different issue. Not all the MSALs currently support a path |
I'm realizing now that our docs don't explicitly say a path will cause issues, but yes only http://localhost or http://localhost:port should be used: https://learn.microsoft.com/en-us/entra/msal/java/getting-started/acquiring-tokens-interactively You may be able to use SystemBrowserOptions or a custom HTTPClient to handle a redirect with a path, but that's probably more complicated than it's worth. |
@Avery-Dunn @rayluo Unfortunately, a localhost redirect URI seems to be required in both platforms. Local web development requires a redirect URI, and our local desktop app development also requires a redirect uri. How can we accomodate both? |
Generally, a web app is more flexible in terms of having their redirect URI - and its path - configurable; besides, web app typically uses a path in their redirect URI (such as
Indeed. There is a better approach. FWIW, there is a pending improvement for MSAL Python to support customizable path in Desktop's interactive auth, but that PR has been postponed indefinitely. |
Library version used
1.14.3
Java version
17
Scenario
PublicClient (AcquireTokenInteractive, AcquireTokenByUsernamePassword)
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
Even though my application is a public client application, and uses MSAL for iOS and Android perfectly fine, when I try connecting to the same client id on Desktop (after registering the application for desktop), it says I need a client_secret:
Relevant code snippets
Expected behavior
Returns auth token
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response
The text was updated successfully, but these errors were encountered: