Share via

Can SPA app with backend exchange the auth code for access token on the backend?

Peter Dräxler 0 Reputation points
2025-02-04T04:45:24.0366667+00:00

My use case is fairly common: an SPA app with tightly coupled backend app to access data. I want to authenticate using Microsoft Entra ID.

I wanted to use the following auth flow:

  1. User is redirected to Microsoft's page to sign in
  2. Frontend receives the authorization_code and sends it to backend via API
  3. Backend exchanges the authorization_code for auth_token and sends it to the browser
  4. Browser sends auth_token in Authorization HTTP header with all following requests to the backend. Backend validates it and identifies the user based on it.

It seems to me to be a simple and secure flow which:

  • is better than backend-for-frontend, as it provides CSRF protection, since the attacker can't put a valid JWT in the Authorization header
  • is better than exchanging authorization_code for auth_token in the SPA app because the backend app
    • can hold a client secret, making it a bit more secure
    • must provide it's user profile to the frontend, and I don't see a reason to do it in a separate request

However I haven't found this flow described in the Application Types docs and I am wary of inventing auth flows on my own.

Are there any issues with it? Why is it not a standard flow?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,112 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 310 Reputation points Microsoft Vendor
    2025-02-05T07:11:56.8266667+00:00

    Hi Peter Dräxler,

    Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on your query, I understand that you would like to know why the implementation of the CSRF protection is not listed in this document.

    CSRF protection is enhanced security which are currently implemented with ASP.Net Core. This implementation is completely different to that of the Microsoft built platforms (Microsoft built Identity platforms). The application type mentioned in the documents are supported by Microsoft identity platform and are able to configure from Azure App registrations.

    CSRF protection for tokens can be implemented using ASP.Net Core application which can be created using this document. Once you configure app using the above steps, you can follow this document to implement the CSRF protection.

    Currently you cannot directly implement this configuration from Azure App registration as it is yet to be implemented and supported from Microsoft Entra ID directly. But the suggestion you have made would help others as well to robust their security in terms of token. I would like to request to provide your feedback using this link: https://feedbackportal.microsoft.com/feedback/forum/ab3ad59e-6dd1-ec11-a7b5-0022481f35a4

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.