I’m trying to use OAuth 2.0 Authorization Code with PKCE flow in Postman and then in my flutter mobile application which will work on both Android and iOS systems. OAuth 2.0 is configured in Azure, on the application level.
I’m using myapp://logged-in redirect URL to read the access token from the callback. Because the redirect URL is configured for Mobile/Native platform, the application itself is set as public.
Unfortunately the authorization is not working. When I try to request the token with PKCE flow, I’m getting following error. It is casued by the public setting in the app registration.
Error: invalid_client, Description: AADSTS700025: Client is public so
neither ‘client_assertion’ nor ‘client_secret’ should be presented.
When I remove client_secret from the request, Postman throws
Error: invalid_request, Description: AADSTS900144: The request body
must contain the following parameter: ‘client_id’.
Based on the below articles:
https://stackoverflow.com/a/67097711/7586834
https://stackoverflow.com/a/63124656
I should be able to retrieve the token without passing the ClientSecret. For now, as workaround I’m using Implicit flow and it is working correctly. But since it is obsolete, I want to switch to newest flow. What/how should I change to make it working?
(manifest file from my app)
<intent-filter android:label="flutter_web_auth_2">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="myapp" />
</intent-filter>
Ps. I’m using flutter https://pub.dev/packages/flutter_web_auth_2 package.
You need to sign in to view this answers
Leave feedback about this