msal-react and the PKCE auth flow are incompatible with AzureAD App Proxy

[rayterrill]

Core Library

@azure/msal or msal

Wrapper Library

@azure/msal-react

Description

Work with the AzureAD App Proxy team to ensure the new PKCE/SPA flow works with AzureAD App Proxy. Currently these are not compatible because of the way App Proxy works and modifies authentication methods.

Source

External (Customer)

[jasonnutter]

@rayterrill Thanks for filing this issue. Can you please provide more details on what doesn't work? This is the first I'm hearing about incompatibility here.

cc: @hpsin

[rayterrill]

Here’s what the Authentication tab in App Registrations looks like for my app prior to adding AzureAD App Proxy. Note that the only “Platform” I have configured is the “Single-page application” platform:

Everything works great.

I go in and configure AzureAD App Proxy for my app, and Save it.

If I go back to the App Registration view of my app, it looks like AzureAD App Proxy has added a new “Web” platform to my app:

When I try to use the App Proxy (after setting up DNS), I get this error. This error occurs both internally (without hitting App Proxy) and externally (through App Proxy) because App Proxy has changed/added an auth method for my app. Note that at this point my app is broken both internally and externally.

Confirmed this AM with the AzureAD App Proxy team via email that these are currently incompatible and there's no ETA for resolution (via Ronnie Greenstein and Jasmine Betthauser @ Microsoft).

You are indeed correct - AppProxy does not support apps using this new flow as it does not work with the way AppProxy is currently integrated with AAD.

Created a User Voice issue to request this be supported: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/43106385-support-pkce-spa-auth-flow-with-azuread-app-proxy

Let me know what else I can add.

[rayterrill]

@jasonnutter I mostly wanted to add this as a note in case others run into this same scenario - this def took a while to track down what was happening.

[jasonnutter]

@rayterrill Great, thanks! I'll follow up internally and let you know if we can provide any additional guidance.

[rayterrill]

Thank you! Working with the library has been great!

[bsrchalam]

Been trying to get msal-angular to work with AzureAD AppProxy for weeks now with no luck and the same error. Hopefully this fix will resolve our issue too.

[rayterrill]

@bsrchalam That's exactly why I created this issue - banging my head against this and finally tracked it down. Was hoping to save others some time. ❤️