Authentication towards custom app fails with *authorization code grant flow*

[danielniccoli]

Describe the bug

Authenticating towards a custom registered app with the authorization code grant flow fails with error code AADSTS7000218, while using the device authorization grant flow (-DeviceCode) is successful.

To Reproduce
Steps to reproduce the behavior:

1. Execute Connect-MgGraph -ClientId $clientId -TenantId $tenantId -Scopes Mail.Send.Shared

2. Authenticate interactively using the authorization code grant flow.

3. The browser shows: "Authentication complete. You can return to the application. Feel free to close this browser tab."

4. Return to the PowerShell window and find the error message (find text version below).
   

5. Execute Connect-MgGraph -ClientId $clientId -TenantId $tenantId -Scopes Mail.Send.Shared -Device

6. Authenticate interactively using the device authorization grant flow.
   

7. Return to the PowerShell window and find that authentication was successful.
   

Expected behavior
If the device code flow works, the auth code flow should work as well. They are virtually the same.

Module Version

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.0.0                 Microsoft.Graph.Authentication      {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGrap…

Environment Data

PSVersion                      7.3.5
PSEdition                      Core
GitCommitId                    7.3.5
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context
The Azure Registered App is configured as follows:

Error message:

Connect-MgGraph: InteractiveBrowserCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: REDACTED
Correlation ID: REDACTED
Timestamp: 2023-07-06 15:45:18Z

[peombwa]

Thanks for following up on this.

The issue in this case is with the selected platform, web (web applications that run on a server), in Azure Portal. You'll need to specify the platform as mobile and desktop applications with a redirect URI of http://localhost. Alternatively, you can modify the app's manifest in Azure Portal by changing the replyUrlsWithType from web to InstalledClient:

	"replyUrlsWithType": [
		{
			"url": "http://localhost",
			"type": "InstalledClient"
		}
	],

PowerShell is considered a console app when it comes to auth.

See AzureAD/microsoft-authentication-library-for-dotnet#2039 and https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#configure-platform-settings for more details.

[danielniccoli]

Hi @peombwa, I also tried that, but I have only used https://login.microsoftonline.com/common/oauth2/nativeclient as the redirect URL, not http://localhost. It was not easy finding the correct documentation about that, so thanks for pointing it out to me. We got the app working now!