Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

what is the proper way to authenticate SPFX Web-parts? #5243

Closed
levisalarcon opened this issue Sep 26, 2022 · 5 comments
Closed

what is the proper way to authenticate SPFX Web-parts? #5243

levisalarcon opened this issue Sep 26, 2022 · 5 comments
Assignees
Labels
answered Question has received "first qualified response" msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@levisalarcon
Copy link

levisalarcon commented Sep 26, 2022

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.14.2

Wrapper Library

Not Applicable

Wrapper Library Version

N/A

Public or Confidential Client?

Public

Description

We currently use MSAL 2.14.2 to get our AAD token to be able to get an access token from our own API. The problem is that ITP on Safari breaks the authentication flow and the only solution there seems to be is to rely on pop ups and redirects.

This Microsoft article states that AadHttpClient with the implicit flow should be used instead to bypass 3rd party blocker issues, but it seems like it too uses a hidden iFrame and ends up relying on redirects (We have implemented it and we get a redirect after the SP page has loaded, then it works).

What is the best way to get a token from SPFX web-parts then without impacting the user experience? Having in mind that all browsers seem to be adding this type of feature, will pop ups and redirects become the standard if there is no other solution?

Thanks.

UPDATE: We were able to run this Microsoft tutorial locally that implements AadHttpClient on SPFX and it does the login redirect after SP login.

MSAL Configuration

No response

Relevant Code Snippets

No response

Identity Provider

Azure AD

Source

External (Customer)

@levisalarcon levisalarcon added the question Customer is asking for a clarification, use case or information. label Sep 26, 2022
@ghost ghost added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Sep 26, 2022
@github-actions github-actions bot added msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications labels Sep 26, 2022
@ghost ghost assigned hectormmg Sep 26, 2022
@hectormmg
Copy link
Member

Hi @levisalarcon . Thanks for the question, please look into using AadHttpClient with SPFX for the correct way to authenticate. Le us know if this solves your question so we can close the issue!

@ghost ghost added answered Question has received "first qualified response" Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Sep 26, 2022
@levisalarcon
Copy link
Author

hi @hectormmg. Thanks for the quick answer. Apologies, when I said we implemented the ADAL.js approach, I meant AadHttpClient (it's built on top of ADAL.js I believe?). I have updated the question accordingly.

@ghost ghost added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Sep 26, 2022
@hectormmg
Copy link
Member

@levisalarcon it does currently use an older version of MSAL I believe (I think the docs are outdated, it actually uses MSAL v1 and will probably migrate to MSAL v2 soon).

Regarding this part of your quesiton:

Having in mind that all browsers seem to be adding this type of feature, will pop ups and redirects become the standard if there is no other solution?

Yes, interaction is always necessary if MSAL cannot renew the tokens silently, this is because of 3p cookies being blocked by browsers. I believe the AadHttpClient already takes care of falling back to interaction. There's no way to guarantee tokens will always be fetched silently.

@ghost ghost added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Sep 26, 2022
@jasonnutter
Copy link
Contributor

@hectormmg Might be worth adding this to the FAQ.

@levisalarcon
Copy link
Author

thanks for the answer @hectormmg.

@ghost ghost removed the Needs: Author Feedback Awaiting response from issue author label Sep 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered Question has received "first qualified response" msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Development

No branches or pull requests

3 participants