The error message “aadsts9002325: proof key for code exchange is required for cross-origin authorization code redemption” is encountered when trying to redeem an authorization code from a different origin without including a proof key. This error is related to the Proof Key for Code Exchange (PKCE) security mechanism implemented by Azure Active Directory (AAD) to protect against authorization code interception attacks.
PKCE is a technique used to secure authorization code flow in OAuth 2.0. When a client application initiates the authorization code flow, it creates a random code verifier and a code challenge derived from it. The code verifier is retained by the client, while the code challenge is sent in the authorization request to the authorization server (AAD). Once the user grants access, the authorization server returns an authorization code to the redirect URI specified by the client.
To complete the code exchange, the client needs to present the authorization code along with the original code verifier. This ensures that the client that initiated the authorization code flow is the one exchanging the code for tokens, even if the code was intercepted during transmission. The proof of possession of the code verifier adds an extra layer of security.
In the case of cross-origin code redemption, the client application tries to exchange the authorization code at a different origin (usually a different domain). Since the code was obtained from a different origin, it is important to include a proof key for code exchange in the request. This proof key consists of the original code challenge used during the authorization request.
Here is an example of how to include the proof key for code exchange using PKCE in an authorization request:
GET /authorize?
client_id=YOUR_CLIENT_ID
&response_type=code
&redirect_uri=YOUR_REDIRECT_URI
&code_challenge=YOUR_CODE_CHALLENGE
&code_challenge_method=S256
&state=YOUR_STATE
HTTP/1.1
Host: login.microsoftonline.com
In the above example, YOUR_CODE_CHALLENGE should be replaced with the base64 encoded URL-safe code challenge derived from the randomly generated code verifier on the client side.
Including the proof key for code exchange based on PKCE in the authorization request will ensure a secure code redemption process even when the client application is attempting to redeem the authorization code from a different origin.