microsoft-authentication-library-for-js icon indicating copy to clipboard operation
microsoft-authentication-library-for-js copied to clipboard
verified publisher icon AzureAD

EAR auth code fallback

Open tnorling opened this issue 2 months ago • 0 comments

This pull request introduces enhancements to the authentication flow to support fallback from Encrypted Authorize Response (EAR) to standard authorization code flow, working around lack of support for symmetric EAR in MSA.

Authentication flow fallback and PKCE improvements:

  • Updated PopupClient and SilentIframeClient to detect when the server does not support EAR and automatically fallback to the authorization code flow, passing the PKCE verifier as needed. This ensures authentication succeeds even if EAR is unsupported. [1] [2]
  • Refactored PKCE code generation and propagation: PKCE codes are now generated and passed through the EAR flow across all clients (PopupClient, RedirectClient, SilentIframeClient). The code challenge is included in requests and cached with the verifier for later use. [1] [2] [3] [4]

Protocol and test updates:

  • Modified the protocol logic in Authorize.ts to always include the PKCE code challenge in EAR requests as a backup, improving compatibility with servers that may not support EAR.
  • Updated protocol tests to verify that the code challenge and method are correctly included in authorization requests, ensuring test coverage for the new fallback and PKCE logic. [1] [2]

tnorling avatar Oct 23 '25 17:10 tnorling