Conversation
| // configuration parameters are located at authConfig.js | ||
| const myMSALObj = new msal.PublicClientApplication(msalConfig); | ||
|
|
||
| myMSALObj.initialize().then(() => { |
There was a problem hiding this comment.
Is this the correct copy/paste from the redirect changes to support popup?
There was a problem hiding this comment.
Yes it is, this is how it is also done in 1-Authorization/0-call-api-vanillajs/App/public/authPopup.js
There was a problem hiding this comment.
Pretty sure this isn't needed for popup flows. @sameerag are the samples in the MSAL.js repo all correct? If so we might need a pass at the azure samples as well.
There was a problem hiding this comment.
Just tested it now for popup without initializing and the error is:
authPopup.js:84 BrowserAuthError: uninitialized_public_client_application: You must call and await the initialize function before attempting to call any other MSAL API. For more visit: aka.ms/msaljs/browser-errors
at gi (msal-browser.min.js:69:17422)
at Ea (msal-browser.min.js:69:22240)
at Ra (msal-browser.min.js:69:22277)
at js (msal-browser.min.js:69:125646)
at Vs.acquireTokenPopup (msal-browser.min.js:69:132964)
at Vs.loginPopup (msal-browser.min.js:69:145094)
at tc.loginPopup (msal-browser.min.js:69:162444)
at signIn (authPopup.js:81:15)
at HTMLButtonElement.onclick ((index):23:92)
There was a problem hiding this comment.
We need initialize() for any 2.x usage. Which MSAL version is in use here?
There was a problem hiding this comment.
On a closer look, if you want to avoid initialize() call, please use createPublicClientApplication() instead. Docs here
And for the original q, for only popup we do not need handleRedirectPromise() at all. We add that for redirect APIs, on page load to check if this is a reload after an auth request. Our samples traditionally support all APIs, including popup and redirect in the same file, hence we probably have this as a template code in our browser samples.
If you are separating it, please get rid of any handleRedirectPromise() reference and recommend using createPublicClientApplication() so you can also avoid the initialize() call.
There was a problem hiding this comment.
The versions of msal-browser are 3.16.0 and 3.17.0 for the 1-authorization & 2-Authorization vanilla js apps respectively.
There was a problem hiding this comment.
I don't have a preference. My main goal is the security vulnerabilities so I aligned the implementation with what was there previously. Would you like me to avoid the initialize() call?
There was a problem hiding this comment.
I would recommend using createPublicClientApplication() as a pattern, we are moving towards it and will deprecate new PublicClientApplication() potentially in 4.x.
And as for handleRedirectPromise() you will not need it if it is only popUp.
3 participants
Purpose
Fix vulnerabilities in project dependencies
Does this introduce a breaking change?
Pull Request Type
What kind of change does this Pull Request introduce?
How to Test
Other Information
The bug fix is in ms-identity-ciam-javascript-tutorial/2-Authorization/0-call-api-vanillajs, the msal-browser version used in the index.html page does not fully support CIAM (Entra External ID) users. In this PR, msal.min.js is served from the backend and used instead similar to how it is done in ms-identity-ciam-javascript-tutorial/1-Authentication/0-sign-in-vanillajs.