Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,101 questions
SPA app WITH nodejs backend auth code flow not supported?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 63%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Dean Hiller
0
Reputation points
We have an SPA with nodejs backend and I see loginRedirect() is for backend to get code and on backend get the access tokens on the server (PERFECT except the full page redirect using an SPA is bad).
We then move to loginPopup() but this gives all the tokens and we just want the auth code. Is there no method of doing SPA & nodejs with loginPopup auth code flow at all?
All examples are SPA no backend or nodejs in old app that does redirects taking the user away form the SPA(this is bad - don't want to load everything again).
closest post I found but not really same: https://learn.microsoft.com/en-us/answers/questions/2154027/can-spa-app-with-backend-exchange-the-auth-code-fo
Things to a turn for the worse. I thought ok, JWT is standard so I take the accessToken from the loginPopup and send to back end. My backend grabs the public signing key and verifies the accessotken and it FAILS. I cut/paste the accesstoken from the following code into jwt.io and it fails for them too!!!! Why are microsoft JWT's not JWTs?
const response = await this.msClient.loginPopup({
scopes: ["openid", "profile", "User.Read", "api://biltup.com/BiltupLogin"],
});
console.log(`json response from microsoft=${JSON.stringify(response)}`);
console.log(`access token=${response.accessToken}`);
For example, here is an EXPIRED token of my test user that is NOT VALID on jwt.io while all google.com tokens and other providers are
accessToken -
eyJ0eXAiOiJKV1QiLCJub25jZSI6IjBrT2FRWkhrNHB4MHNDZ2ZhMFpaR3h2V1FBZU1pNllyZ293S0JSbzhIQm8iLCJhbGciOiJSUzI1NiIsIng1dCI6IkpETmFfNGk0cjdGZ2lnTDNzSElsSTN4Vi1JVSIsImtpZCI6IkpETmFfNGk0cjdGZ2lnTDNzSElsSTN4Vi1JVSJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8yMmE2YjYxZS1jN2UwLTQzOTMtYmRmZS1jZTMxN2RiYzA5NjgvIiwiaWF0IjoxNzQzMDAwNDIwLCJuYmYiOjE3NDMwMDA0MjAsImV4cCI6MTc0MzAwNTI1OCwiYWNjdCI6MCwiYWNyIjoiMSIsImFjcnMiOlsicDEiXSwiYWlvIjoiQVpRQWEvOFpBQUFBK20ybjZVamh1WDBGeWJiRyt0NmhWYVRSOEE5aU8yU1o4WTVLSi9HbEwvczVTK0JRWVRaaEkvL2FuNG9VbnBQOTF0SVpuWHdCZjVQR0QrUlE3VUJJdm9DZURSMmFRSGdZcUxZYWthMmU3SUZuZVoyL1pDVDRia0N4YXAyR3J4TUxrQ1hPTnF0eVJaV3dsWFNRR1dCOTYwWjQydWFYZExGME90RzVabGNVc2RNRXU4YktqdWk2L3FoOVc1VFBraDE4IiwiYWx0c2VjaWQiOiIxOmxpdmUuY29tOjAwMDM3RkZGOTMyMkQ5NUIiLCJhbXIiOlsicHdkIiwibWZhIl0sImFwcF9kaXNwbGF5bmFtZSI6ImJpbHR1cC1kZXYtY2xvdWQiLCJhcHBpZCI6IjhjNGQ4ZGVmLWNmNTQtNDI4YS04ZWMzLWIwNGU1Y2I4ZmZmYyIsImFwcGlkYWNyIjoiMCIsImVtYWlsIjoiZGVhbkBiaWx0dXAuY29tIiwiZmFtaWx5X25hbWUiOiJIaWxsZXIiLCJnaXZlbl9uYW1lIjoiRGVhbiIsImlkcCI6ImxpdmUuY29tIiwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiOTMuMTc1LjIwMS4yNDgiLCJuYW1lIjoiRGVhbiBIaWxsZXIiLCJvaWQiOiI2ZGQxOGZkNC04OGJiLTRiNDctYjI4OC02NTc3NmI3M2VkNjAiLCJwbGF0ZiI6IjUiLCJwdWlkIjoiMTAwMzIwMDQ2RjA4RDJEOSIsInJoIjoiMS5BV01CSHJhbUl1REhrME85X3M0eGZid0phQU1BQUFBQUFBQUF3QUFBQUFBQUFBRElBWkJqQVEuIiwic2NwIjoib3BlbmlkIHByb2ZpbGUgVXNlci5SZWFkIGVtYWlsIiwic2lkIjoiMDAzMTc4MjktZjZjNi04YzAyLWM4OWItNDNhNjdhZWJjMjc0Iiwic2lnbmluX3N0YXRlIjpbImttc2kiXSwic3ViIjoiZzRSQk5nZTNFUXptdnBzc1BXbzVWNlhrRjdpRHd3SVJPY09TdnZHcS01QSIsInRlbmFudF9yZWdpb25fc2NvcGUiOiJOQSIsInRpZCI6IjIyYTZiNjFlLWM3ZTAtNDM5My1iZGZlLWNlMzE3ZGJjMDk2OCIsInVuaXF1ZV9uYW1lIjoibGl2ZS5jb20jZGVhbkBiaWx0dXAuY29tIiwidXRpIjoiZG5QM1A1dnZHa0NVSHlWcWVwRXVBZyIsInZlciI6IjEuMCIsIndpZHMiOlsiNjJlOTAzOTQtNjlmNS00MjM3LTkxOTAtMDEyMTc3MTQ1ZTEwIiwiYjc5ZmJmNGQtM2VmOS00Njg5LTgxNDMtNzZiMTk0ZTg1NTA5Il0sInhtc19mdGQiOiIwNnZENEZObzhheEZvbmFRbXNLX1FVZ3NUOEoya3hkYWo3aFIzXy1qN3NBIiwieG1zX2lkcmVsIjoiMjQgMSIsInhtc19zdCI6eyJzdWIiOiItRFdSMlQyVU1wSG5IdzRjQTJzWWM4UzBKNVhaNVJQekRwMVUxTnNaYW04In0sInhtc190Y2R0IjoxNzQyNTQwMTU0fQ.Uk_5KTaaBGx_iW32N4SSxeTyJbfwXaFx43gfYHgg-7G7vge3uWf24MGTIFUFr0exslaa2qPGNS9K5fTZTYKBFzNRl2NUvZZU0EC7bHeeCrwd93aWtiZ_DGd-uGmObJGJjHelRw-R_qhrzjHeAIn224uJCHI-j8WsO4PYA0bhUUzNgrCmrRuYqHWfVZNkiK_CVSJQfbJVrB736GTHEkC9TZTcuTGDRBQuXgjb-dOpy8HgOyV2xBeJK-1AqeY6P4oUIArjVXCsEtk8Chc_FW0l-Y9KVOOQo6iVbMSHNWf9AXa_ih0hiZnpd9m3nXqj-y7IBFtXreUxLupIcXNcWTg-Rw
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sakshi Devkante 2,830 Reputation points Microsoft External StaffApr 1, 2025, 6:03 PM Hello Dean Hiller,
I wanted to let you know that I am currently looking into possible solutions for the issue you raised. I will make sure to keep you updated and get back to you as soon as I have more information or a resolution.
-
Sakshi Devkante 2,830 Reputation points Microsoft External Staff
Apr 2, 2025, 3:07 PM Hello Dean Hiller,
Based on the access token provided in the post you mentioned, it verifies the access token, but it FAILS. Since you are using a personal (live) account, you have two options:
If you're using a personal account, it's recommended to use OAuth 2.0.
Alternatively, try using a work or school account with the same setup, which should successfully verify the access token.
If you want to continue using your personal account, you can make some changes in your tenant. For example, with SPA, you can create an API app registration with the same details, expose an API as a scope in the API application, and then add the scope as a permission in the SPA. This will work as expected with a personal account.
Here are the steps I followed in my tenant:
I created two applications with identical details: one for SPA and another for the API, both in Entra ID -> App Registration.
In the API application, I exposed the API as a scope (as shown in the image below).
In the SPA, I added the API permission as "JWT client with exposed API" which was created in Entra ID.
I hope this clarifies things.
-
Sakshi Devkante 2,830 Reputation points Microsoft External Staff
Apr 4, 2025, 8:38 AM Hello Dean Hiller,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.
-
Sakshi Devkante 2,830 Reputation points Microsoft External Staff
Apr 7, 2025, 9:56 AM Hello Dean Hiller,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.
-
Dean Hiller 0 Reputation points
Apr 9, 2025, 5:38 AM I ended up doing the redirect flow. MS doesn't have a way for SPA + backend like google does with website gets token, gives to server and server exchanges for token so instead I had to do a redirect from SPA to MS and MS to SPA (which is annoying as has to reload entire SPA). There is no other method than that or the other way is SPA to MS but this exposes the MS the offline token in the website which is very very bad and never desired. exposing a 1 hour is fine. so MS had no way for us to keep that offline token secure without the redirect flow :( .
Sign in to comment
Sign in to answer