Azure AD Authorization Code Flow With Proof Key For Code Exchange(PKCE) | Azure AD Authentication

OAuth 2.0 Authorization Code Flow With Proof Key For Code Exchange(PKCE) | Azure Active Directory PKCE | Azure AD PKCE | PKCE Flow | Azure AD authentication | Asp.net Core PKCE | Azure Active Directory PKCE with Postman | Asp.net Core Proof Code for Code Exchange | Advantage of Authorization Code Flow | Why PKCE authorization flow is need | Testing Azure AD Authorization Code flow with Postman

Authorization code flow in Oauth2.0 Azure AD authentication also know as Proof Key for Code Exchange and also known as PIXIE and authorization_code flow. PKCE was created to mitigate the issue with implicit grant flow which has Cross site request forgery. Generally in implicit grant flow the redirect url is involved and the token will be generated and sent to the client via redirection in implicit grant flow and Azure AD authentication server does not know to which client it is returning to as multiple clients may be listening to the same redirect uri in PKCE Authorization code flow in Azure AD authentication.
==========================================================
In Proof Key for Code Exchange azure ad authentication o Auth2.0 authorization code flow, first the client app requests auth code by passing redirect uri and a code_verifier. code_verifier can be plain text or SHA-256 so while sending the request the postman will has the code_Verifier in authorization grant flow accordingly before sending the to oauth identity azure ad authentication server. Server validates the request for client id and secret, redirect uri and sends an authentication code back to the client application. As redirect is involved in this step, still other apps can listen to the same redirect uri and read the auth code.
=============================================
In the next step, the client application sends another request to the Azure Ad authorization grant flow authorization server for PKCE flow in http post by mentioning the same code_verifier along with the Auth Code it received. As Azure AD follows Oauth2.0 so the Authentication server validates the code_Verifier and issues an access token only if the code verifier matches with the code challenge supplied. Here few things to note is, The auth code can be used only once. i.e the auth code can be redeemed only once otherwise it will give an issue.
=============================================
One other issue is, If the client app type is SPA app the Azure AD PKCE Authorization code server responds with cross origin request issue and an Origin header must be passed while requesting access token from auth server.

Chapters
00:00 Introduction
00:47 Why PKCE Authorization Code flow needed
04:41 PKCE with Postman
13:05 Authorization Code Flow Testing With Postman

#azuread #PKCE #azureactivedirectory