Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarifying use case scenario in documentation #274

Closed
cheslijones opened this issue Nov 6, 2020 · 4 comments
Closed

Clarifying use case scenario in documentation #274

cheslijones opened this issue Nov 6, 2020 · 4 comments
Labels
question

Comments

@cheslijones
Copy link

Reading through the documentation scenarios here and identifying the correct scenario for my use case:

  1. User accesses the microservice ReactJS front-end where react-aad-msal directs them to login with their Azure AD credentials.
  2. They successfully login and receive id_token and access_token.
  3. The access_token needs to be sent from the microservice ReactJS FE to my microservice Django/Django-REST-Framework (DRF) API.
  4. The Django/DRF API needs to verify the authenticity of the access_token against Azure AD as well to grant communication between the FE and the API, to make sure some garbage string wasn't sent to it from the FE.

This use case leads me to believe that the "Web Application signing in a user and calling a Web API in the name of the user" is correct scenario and that this documentation found here is what I should be following to work on the Django.

That being said, all I'm really trying to do is validate the authenticity of the access_token sent over from the FE. I came across this documentation related to that.

So I'm unclear from the documentation what I should be trying to implement here with this library: the "The web app that calls web APIs" scenario or just the token validation method.

Can someone offer clarity on this?
@rayluo rayluo added the question label Nov 6, 2020
@rayluo
Copy link
Collaborator

rayluo commented Nov 6, 2020

There are 2 roles in: web app ---- calls ----> web api

This MSAL library helps the former i.e. web app to obtain a token.

Your DRF backend sounds like the latter i.e. web api who needs to validate that access token. We do not currently support that. A feature request is recorded at #147.

@cheslijones
Copy link
Author

There are 2 roles in: web app ---- calls ----> web api

This MSAL library helps the former i.e. web app to obtain a token.

Your DRF backend sounds like the latter i.e. web api who needs to validate that access token. We do not currently support that. A feature request is recorded at #147.

That is correct: DRF receives the access_token from the ReactJS FE. DRF is strictly the API, it serves no static assets and should not have an authentication process on its own. It should not be accessible except by the ReactJS FE. This, at least, is my understanding of how a modern microservice web application should work.

Any time frame for having the feature added? Looks like January is when it brought up.

@rayluo
Copy link
Collaborator

rayluo commented Nov 7, 2020

To be honest, there is no specific timeline to be shared at this moment. But it doesn't harm if you can add a thumb-up reaction on that issue for our future planning purpose, and then you also subscribe that issue so that you will be notified when we get back to that one eventually.

@rayluo
Copy link
Collaborator

rayluo commented Nov 9, 2020

Updated the first link used by @cheslijones at the beginning of this issue. Closing the doc issue here, and keep track of the feature requirement at #147.

@rayluo rayluo closed this as completed Nov 9, 2020
@cheslijones cheslijones mentioned this issue Nov 9, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rayluo @cheslijones