How to fix AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption.

Gowtham V 0 Reputation points
2024-03-21T12:27:48.6833333+00:00

Hi all,

I'm trying to add OAuth profile for my work purpose, when I'm adding it, I provided all the required field information from my azure account. while selecting the redirect URI in web, the code being sent from azure is 1350 in length but the code length limit set by my redirect uri provider is 1024 only, so I was not able to use the web platform. where as when i configure the same redirect URI as a SPA the authentication takes to sign in page, once i sign in I get the error message

"Sorry, but we’re having trouble signing you in.

AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption."

So i can not use WEB platform so if anyone has any fix for using SPA, I really appreciate it.

Thanks.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2024-03-22T22:44:28.7733333+00:00

    Hi @Gowtham V , this error indicates that the authorization code was issued for a different client ID than the one used to redeem it. This can happen when the client ID or redirect URI is not configured correctly.

    To fix this issue, you can try the following steps:

    1. Make sure that the client ID and redirect URI in your application registration match the ones used in your code.
    2. Ensure that the redirect URI is correctly configured in your application registration. The redirect URI must match the URI used in your code exactly, including the scheme, host, and port.
    3. If you are using SPA make sure that you have configured the correct redirect URI for your SPA in your application registration. The redirect URI for a SPA should be the URL of the SPA itself, not a server-side endpoint.
    4. If you are using a SPA, you may need to use the Proof Key for Code Exchange (PKCE) flow instead of the standard authorization code flow. PKCE is a security feature that helps prevent authorization code interception attacks. To use PKCE, you will need to modify your code to include a code verifier and code challenge in the authorization request.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.