oauth 2.0 - Azure AD: code flow with PKCE: id_token is not enabled for the application

Question

I'm trying to integrate a React single-page app (SPA) with Azure AD. I'm following the docs (e.g. scenario) and using the samples from react-aad-msal to see if things work at a basic level.

But, I get the following error when attempting to reach the Microsoft login page:

AADSTS700054: response_type 'id_token' is not enabled for the application.

Now, the docs are pretty clear that for SPAs, auth code flow with PKCE is the way to go, and you shouldn't use the implicit grant flow because it's insecure. This means that existing answers to similar questions (such as this one or this other one), which suggest blindly turning on a setting for the implicit flow, are inadequate.

Is it possible to enable login (ID tokens) and API access (access tokens) for an SPA without using the implicit flow?

(I'm not sure yet, but it's also possible that react-aad-msal is using the implicit flow. I haven't found any setting that tells it which flow to use.)

Answer 1

react-aad-msal actually doesn't state which version of MSAL it's using. Right now there are 2 versions:

• MSAL 1.x supports only the implicit flow.
• MSAL 2.0 supports auth code flow with PKCE

The package.json file for react-aad-msal's JavaScript sample is clearly using MSAL 1.x:

    "msal": "^1.2.0",

So that's my problem right there. Implicit flow. Can't use react-aad-msal for auth code flow with PKCE.