Azure OAuth PKCE Error with Single-Tenant Configuration
Hi Supabase team, I'm getting a PKCE error with Azure OAuth and need clarification on the supported configuration. Error:
My Configuration: Azure AD:
Supported account types: Accounts in this organizational directory only (single-tenant)
Platform: Single-page application (SPA) with redirect URIs
When using SPA platform, Microsoft requires PKCE for authorization code flow
Supabase:
Azure Tenant URL:
Client configured with
Scopes:
Does Supabase Auth support Azure apps configured as SPA platform? The documentation mentions configuring tenant URLs for single-tenant apps but doesn't explicitly state whether SPA platform (which requires PKCE) is supported. Should I:
Keep SPA platform - is there additional configuration needed for Supabase to send PKCE parameters to Microsoft?
Switch to Web platform - does Supabase Auth only support the Web platform configuration for Azure OAuth? (Would rather not do that)
The error occurs at the /callback endpoint, suggesting Supabase's OAuth flow isn't sending the PKCE parameters that Microsoft's SPA platform requires. Thanks for clarifying!
My Configuration: Azure AD:
Supported account types: Accounts in this organizational directory only (single-tenant)
Platform: Single-page application (SPA) with redirect URIs
When using SPA platform, Microsoft requires PKCE for authorization code flow
Supabase:
Azure Tenant URL:
https://login.microsoftonline.com/<tender-id>Client configured with
flowType: "pkce" Scopes:
openid email profileDoes Supabase Auth support Azure apps configured as SPA platform? The documentation mentions configuring tenant URLs for single-tenant apps but doesn't explicitly state whether SPA platform (which requires PKCE) is supported. Should I:
Keep SPA platform - is there additional configuration needed for Supabase to send PKCE parameters to Microsoft?
Switch to Web platform - does Supabase Auth only support the Web platform configuration for Azure OAuth? (Would rather not do that)
The error occurs at the /callback endpoint, suggesting Supabase's OAuth flow isn't sending the PKCE parameters that Microsoft's SPA platform requires. Thanks for clarifying!
