[Feature Request] CreateAuthCodeURL - adding state & challenge

[samueldominguez]

Is your feature request related to a problem? Please describe. When using CreateAuthCodeURL I can't set a challenge or state, so I have to manually add it to the URL.

Describe the solution you'd like Allow CreateAuthCodeURL to use a challenge, and set a custom state. You would get the code verifier back, to set it when you get a token from the auth code.

Describe alternatives you've considered Manipulating the URL after it has been generated by CreateAuthCodeURL but the functionality to generate the code verifier and so on is already present in the package so why not do this automatically?

Additional context N/A.

[simonoff]

As I see such library not supported by Microsoft? Why then recommend to use MSAL only then in docs?

[zc07]

It has been a year and a half since this issue was being created. I have the same request for allowing custom session_state and code_challenge.

• Session State: In the current implementation, we can only get a random session_state from AAD. Allowing custom state in GenerateAuthCodeURL() provides feature parity to other MSAL libraries such as MSAL.js.

• Code Challenge: If I understand correctly, MSAL for Golang does support PKCE when using the AcquireTokenBy...() methods, which completes the second half of the workflow. But there is no documentation/example/support on the first half.

  • Using CodeLogin as an example, the challenge must be set when generating the auth code URL, then being verified in AcquireTokenByAuthCode(). The first part is missing in this library.

These should be essential for something to be used in production.