SWA, custom identity provider and Authorization Code Flow with PKCE

[tlehton]

I have an SPA application with two identity providers configured. One is Azure AD and another proprietary OIDC provider.

• With AAD, the authentication works when I have "Implicit Flow" enabled in the app registration in AAD.
• However, the another OIDC provider requires clients to use PKCE, and returns an error callback to /.auth/login/provider/callback with an error_description=PKCE is mandatory.
• If I check the http request send to idp, there's no code_challenge etc. parameters sent.

Question that I have is that is PKCE supported by the SWA's built-in authentication?
Or should I try to enable implicit flow also on the another IDP?
Or should I use some custom authentication to handle PKCE in the application and disable SWA authentication completely?

[Penberthy-gossan]

You have the same problem with the Azure aadb2c which also requires PKCE, it begs believe that Azure folks aren't able to integrate their paid services despite claiming to through their documentation, this has been an open issue for over 2 years! Not sure if they lack the motivation or expertise to fix it but it doesn't look like they are going to fix it. Which is a slap in the face to all those who have upgraded there pricing plan to be able to use custom authentication.

Don't use implicit flow, it weakens the security of your solution, also it I tried it and it didn't fix the problem for me anyway.

I am considering other cloud providers, I mostly be an Azure guy and little bit AWS for the last 8 years, maybe ill give Google a try, at least they know how to implement OIDC properly, by the way AWS aren't any better with this stuff, think they must get bored half way through the RFCs or something and then think Hay I'm [Amazon / Microsoft] I don't have to follow other peoples standards i set the standards.