-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Msal Js Support Auth Code Flow In The Browser #1000
Comments
Work has started for this item.
|
Is there an ETA for this landing? |
@garrettm It is inside October 2019 milestone, so we may expect to try it soon 🤞 |
We are working on it in October! @garethj-msft @sergey-tihon however it will likely take us through the rest of the quarter to finish. Expect to be able to use it in production early 2020. |
Alright, thanks. Might there be a less stable version we can use beforehand? Or is there an alternative library I could use for this until msal is ready? https://github.com/AzureAD/azure-activedirectory-library-for-js ? |
This will be awesome to be able to use SPA/PWA apps with Microsoft Azure AD and Authorization Code Flow with PKCE, is this going to enable the possibility? |
Yes. @pkanher617 to add more details. |
@garrettm @sergey-tihon We are currently developing this, hope to have the beta version ready by Christmas. @garrettm msal for implicit flow is available and currently at v1.1.3, so you can use that instead of the ADAL library for now. @Romiko yes, we would like to support the use cases for SPA/PWA apps using Auth Code w/ PKCE. |
@pkanher617 sorry, I'm not sure what you mean, isn't this repo/issue about getting an Auth Code through msal? How can I use msal for this when it's still not ready? Am I misunderstanding something? |
@garretm sorry I may have misunderstood what it was that you were looking for - I saw a link to the ADAL.js repo and assumed you were simply looking for an upgraded version of what is supported in ADAL today. You aren't misunderstanding anything, this issue will track making the Authorization Code Flow available in MSAL. |
@pkanher617 I see there's a PR for this. Thanks! Is it still on track for a beta this month? |
@garrettm this is still planned to be code complete by the end of this month, however there are a few things that this depends on from the server / portal side that will not complete their parts until early 2020. |
@DarylThayil got it, thanks for the update! |
Any news? |
We are very close to finishing the implementation, @pkanher617 will be updating the details soon. We will be announcing an ~alpha version first in couple weeks for private consumption and we plan to incrementally take feedback to build up to a major release. |
How do we get on that private consumption list :) |
@pkanher617 and @hamiltonha, do you know if we will be able to set up B2C to issue refresh tokens as a cookie while returning access tokens in the normal JSON response? In the past I've employed refresh tokens this way with a CSRF antiforgery token, rather than returning refresh tokens in the body. In the world of SPAs, many apps use quite a few 3rd party libraries which may have their own XSS or related vulnerabilities. |
Hi, Edited: the consent box appears for personal account only |
@kylephp You should be able to change the settings for consent display options by going to the "API permissions" section of your app registration in the azure portal |
@hamiltonha Thanks for replying but I could not find it in "API Permissions" |
Hi @hamiltonha , just wondering do you know a rough ETA for B2C integration? |
@luklew you should be able to use B2C now by manually editing your app manifest as instructed in the README of the browser package. The azure portal URI for SPAs will be deployed to B2C tenants around June 5-12th. please let me and @pkanher617 know if you have any issues using the browser package with a b2c app by editing the manifest |
@hamiltonha I will do thanks! Does this work with angular msal 1.0.0? |
@luklew as of now the Angular library still uses the implicit flow, we are looking to onboard that library to the auth code flow in the coming months. |
@hamiltonha I've noticed I'm not getting all my Application Claims back from the B2C AD when I request a token. Is that expected at this time? |
I have edited the manifest and changed the type to "spa", also enabled "public client" btw. |
@hamiltonha any update on this? trying to get an idea when we can expect angular spa with pkce/auth code flow. |
@hamiltonha I would also like to know about the plans for implementing this for the Angular wrapper. Any information would be highly appreciated. |
@mblagdan @siva-srini - @jasonnutter is currently working on a sample angular app that uses MSAL.js 2.0 directly. We also will be discussing prioritizing onboarding the Angular wrapper to the MSAL.js 2.0 with auth code/pkce in the coming months now the library is GA. |
Closing, as MSAL Browser is now GA. If you have further questions or concerns, please open a new issue, thanks! |
Goals: We would like to support the authorization code flow with PKCE for Single Page Applications in browser environments.
Milestones:
This is currently available in npm here.
This is the first version of the library available for private preview. We do NOT recommend anyone use this in their production apps - this is only for testing if anyone is interested. Please feel free to reach out if you run into any issues or have any feedback for improving what we have released. We will have a more detailed announcement and release notes for this when we reach the beta stage.
In the coming weeks, we will be updating this package actively based on internal testing and external feedback.
Beta Release
Coming soon!
Main Release
The text was updated successfully, but these errors were encountered: