Scanning SPA using Microsoft Azure AD B2C Authorization Code Grant flow

38 views
Skip to first unread message

Colby Crossley

unread,
Oct 22, 2024, 8:41:49 PMOct 22
to ZAP User Group
I'm trying to scan a Single Page Application using Microsoft Azure AD B2C authorization code grant flow and ZAP is just getting stuck in a loop between the SPA endpoint and Azure AD B2C. I have tried the authentication tester tool and all checks pass. Does anyone have suggestions on how to setup ZAP to work with this authorization code flow?

Simon Bennetts

unread,
Oct 24, 2024, 11:50:13 AMOct 24
to ZAP User Group
How have you using ZAP, and exactly what have you configured it to do?

Cheers,

Simon

Colby Crossley

unread,
Oct 24, 2024, 3:42:12 PMOct 24
to ZAP User Group
I used the ZAP authentication tester, which indicates status passed. ZAP is not sending the bearer token as an authorization header in subsequent requests, and I suspect this is because it's not detecting the access_token from Azure AD B2C's OAuth 2.0 authorization code flow.

Is anyone successfully using ZAP with OAuth 2.0 authorization code flow?

Simon Bennetts

unread,
Oct 25, 2024, 4:35:34 AMOct 25
to ZAP User Group
Authentication Auto-detection configures ZAP authentication.
You can change that configuration, e.g. to configure it to add the authorization header.
Try doing that.

If you get it working and you think its generic solution then please let us know and we'll document it.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages