How does Authorization Code flow remember the user after cached state is cleared? #2797
Closed
1 of 2 tasks
Labels
msal-browser
Related to msal-browser package
question
Customer is asking for a clarification, use case or information.
Library
@azure/msal-browser@2.8.0
Description
Given an app using Oauth 2.0 Authorization Code Flow via msal-browser, I login by providing my credentials. Then I fully clear my browser's state, cache, local/session storage, and refresh the page so that the single page application doesn't know I'm logged in, but I'm still logged in with the Microsoft backend.
When I initiate another login, it is able to do so silently, without re-asking me for my credentials.
Apparently, via a request to
https://login.microsoftonline.com/redacted/oauth2/v2.0/token
, the Microsoft backend can authenticate me as the same user even though I cleared the js memory and all cache/session/local storageHow does this request get a valid code / code_verifier to send to the Authorization Server in order to get an Access Token back for a user without re-entering credentials?
More details:
The following does require me to re-enter my credentials (as I would expect it to):
The following does not require me to re-enter my credentials and can log on silently:
I would expect the 3 "not" scenarios to require credentials, but they do not. How can I be authenticated without the browser keeping any local state?
Source
(Note: Also posted on stack overflow)
The text was updated successfully, but these errors were encountered: