[Identity] [InteractiveBrowserCredential] [Node] Enable PKCE

sdk/identity/identity/CHANGELOG.md

@@ -21,6 +21,7 @@
 - `AuthenticationRequiredError` (introduced in 2.0.0-beta.1) now has the same impact on `ChainedTokenCredential` as the `CredentialUnavailableError` which is to allow the next credential in the chain to be tried.
 - `ManagedIdentityCredential` now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints.
 - Added an `AzurePowerShellCredential` which will use the authenticated user session from the `Az.Account` PowerShell module. This credential will attempt to use PowerShell Core by calling `pwsh`, and on Windows it will fall back to Windows PowerShell (`powershell`) if PowerShell Core is not available.
+- Enabled PKCE on `InteractiveBrowserCredential` for Node.js. [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) is a security feature that mitigates authentication code interception attacks.
 
 ### Breaking changes from 2.0.0-beta.1
 

sdk/identity/identity/src/credentials/interactiveBrowserCredential.ts

@@ -85,6 +85,9 @@ export class InteractiveBrowserCredential implements TokenCredential {
    *
    * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
    *
+   * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+   * PKCE is a security feature that mitigates authentication code interception attacks.
+   *
    * @param scopes - The list of scopes for which the token will have access.
    * @param options - The options used to configure any requests this
    *                  TokenCredential implementation might make.

sdk/identity/identity/src/msal/nodeFlows/msalOpenBrowser.ts

@@ -84,7 +84,8 @@ export class MsalOpenBrowser extends MsalNode {
         const tokenRequest: msalNode.AuthorizationCodeRequest = {
           code: url.searchParams.get("code")!,
           redirectUri: this.redirectUri,
-          scopes: scopes
+          scopes: scopes,
+          codeVerifier: this.pkceCodes?.verifier
         };
 
         this.acquireTokenByCode(tokenRequest)
@@ -182,10 +183,22 @@ export class MsalOpenBrowser extends MsalNode {
     });
   }
 
+  private pkceCodes?: {
+    verifier: string;
+    challenge: string;
+  };
+
   private async openAuthCodeUrl(scopeArray: string[]): Promise<void> {
+    // Initialize CryptoProvider instance
+    const cryptoProvider = new msalNode.CryptoProvider();
+    // Generate PKCE Codes before starting the authorization flow
+    this.pkceCodes = await cryptoProvider.generatePkceCodes();
+
     const authCodeUrlParameters: msalNode.AuthorizationUrlRequest = {
       scopes: scopeArray,
-      redirectUri: this.redirectUri
+      redirectUri: this.redirectUri,
+      codeChallenge: this.pkceCodes.challenge,
+      codeChallengeMethod: "S256" // Use SHA256 Algorithm
     };
 
     const response = await this.publicApp!.getAuthCodeUrl(authCodeUrlParameters);