Enable AuthorizationCodeCredential for PublicClientApplication

[Jeadie]

• When using graph-rs-sdk for authentication a PublicClientApplication with AuthorizationCodeCredential, I ran into several issues.
• Only functional change is in impl TokenCredentialExecutor for AuthorizationCodeCredential's fn form_urlencode. We no longer check for a missing or empty client_secret, as per docs,'required for confidential web apps... Don't use the application secret in a native app or single page app because a client_secret can't be reliably stored on devices or web pages.' (see https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret).

[sreeise]

How are you expecting to use the AuthorizationCodeCredential in a spa application? You wouldn't make a normal post token request to get an access token. The access token would come on the redirect from login.

Are you saying this is an issue with refreshing tokens?

That warning is not saying don't use a client secret. Its saying dont use this flow in a spa application becuase of the client secret.

[sreeise]

@Jeadie I think I see what the issue is. You want to use a spa based public client via authorization code credential. Your access token and refresh token both come on the redirect. But your AuthorizationCodeCredential doesn't use a client secret in this type of flow. This would be the implicit flow but this has also been changed to be the Auth code flow with PKCE. Is this correct?

Can you please provide an description of what it is you are expecting to happen and the walk through of the flow your using exactly?

I think what your looking for is detailed here right? https://learn.microsoft.com/en-us/entra/identity-platform/reference-third-party-cookies-spas#overview-of-the-solution

[sreeise]

@Jeadie Take a look at #495

This adds a credential for Spa applications using a public client.

[Jeadie]

We're attempting to have users (running a tool locally), retrieve a AuthorizationCodeCredential via a redirect_url to a server running locally in the tool. Users cannot have access to a client_secret or equivalent.

[sreeise]

We're attempting to have users (running a tool locally), retrieve a AuthorizationCodeCredential via a redirect_url to a server running locally in the tool. Users cannot have access to a client_secret or equivalent.

Gotcha. Thanks for the response. I beleive #495 should solve this issue still. In that PR I made the PKCE required because thats what the auth flow says is required. But if its allowing you to do so without it I can make it optional. Let me know.

[sreeise]

Closing this out as the other work I mentioned got merged and I havn't heard anything back here. Let me know if there is an issue going forward.