question

sivadev-0246 avatar image
0 Votes"
sivadev-0246 asked ·

Protect Angular SPA with Azure Ad authentication

Hi,

I need to protect my Angular SAP and Node JS API with Azure AD Authentication. which flow should i use?

Auth Code Flow or Implicit Flow?

Where can i find the sample apps ot tutorials that show steps to implement the suitable flow in both Angular SPA anf Node JS API?

azure-active-directoryazure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
2 Votes"
soumi-MSFT answered ·

@sivadev-0246, Ideally for SPA applications, Implicit flow is what is preferred the most. For samples, you can check the following url:
https://docs.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code#single-page-applications

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.




· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@sivadev-0246, Just wanted to check if the above response helped.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 · ·

@sivadev-0246
Just wanted to check if the above response helped.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 · ·

Hi @soumi-MSFT - As per OAuth2 working group, they recommend SPA applications to use Auth code flow with PKCE as a best practice. I see Microsoft acknowledges this recommendation and advised app developers to use ADAL or MSAL lib including MSAL.js 2.0(preview). This is giving mixed signals on designing solutions using preview MSAL2.0. Is it safe to use MSAL.js 2.0 beta libraries to implement Auth Code flow PKCE? or implement using implicit grant flow and upgrade to MSAL.js 2.0 when it is available in GA. Or use libraries like oidc-client-js to implement Auth code flow with PKCE? Any advise would be greatly appreciated. thank you!

https://developer.microsoft.com/en-us/office/blogs/our-thoughts-on-implicit-grant-with-microsoft-identity/
https://github.com/AzureAD/microsoft-authentication-library-for-js

https://levelup.gitconnected.com/obtain-access-token-via-authorization-code-grant-with-pkce-in-angular-using-oidc-client-js-and-d481873b5a8a





0 Votes 0 · ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@RanjithPalanisamy-3910, Thank you for reaching out and I apologize for the late reply on this as somehow I had missed out on this new question on this thread. One thing i would like to state i.e since implicit flow is not a secured flow and it always carries its own set of risks, its advisable to stay as away from using it. But till today, for Javascript applications (Single-Page applications), we recommended using MSAL.js library, and MSAL.js lacked the capability of implementing any other flows of OAuth for SPAs. then came MSAL v2.0 and now the MSAL v2.0 (preview), which finally brought the support of using Auth-Code Grant Flow for your SPAs and personally I would recommend if a new app being developed, its better you go ahead with the new MSAL v2.0 (preview) as that would just get better.


As of now I have not heard of any complaints regarding the MSAL v2.0(preview) library, and you can surely give it a try. Auth-Code Grant flow with PKCE is definitely a more secure alternative to implicit grant flow. For now, I dont have a time frame as of when there is a plan to get this into GA, but can surely get you the answer as soon as I can get my hands on it.


Hope this helps.


Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.