Authenticating users in JavaScript apps with MSAL.js
Overview
About us
Co-Presenter Name
☁️ Co-Presenter Title
Co-Presenter Name
☁️ Co-Presenter Title
For questions or help with this series: MSUSDev@Microsoft.com
All demos and source code available online:
Setting the scene
Series roadmap
- Session 1:
- ↪️ Authenticating users in JavaScript apps with MSAL.js
- Session 2:
- Discover Microsoft Graph Toolkit Components
- Session 3:
- Authenticating to Azure with MSAL.js
- Session 4:
- The Microsoft Graph SDK for JavaScript
Today’s agenda
- What is the Microsoft Identity Platform?
- How do we authenticate manually?
- How can the MSAL help us authenticate?
- Where can we use the MSAL token?
Identity Development with the Microsoft Identity Platform
Goal
Identity as a control plane
Azure Active Directory
Active Directory Authentication Library
Microsoft Identity Platform
https://docs.microsoft.com/azure/active-directory/develop/
Unified full-stack development tools to work with all Microsoft identities.
Microsoft Identity Platform Breakdown
Demo: Microsoft Identity Platform documentation
::: notes
-
Open a browser and navigate to https://docs.microsoft.com/en-us/azure/active-directory/develop/
-
Review the various sections of the landing page
-
In the About Microsoft identity platform section, within the Overview sub-sectoin, select What is the Microsoft identity platform?
-
Review the documentation on this page
:::
Authenticating to Microsoft
AAD Applications
- Register applications with AAD to get access to authentication and tokens
- Usually include a redirect URI for the application
- Registration will yield client credentials required to authenticate
- Can register different types of applications
Application Types
- Single-page applications
- Web applications
- Web APIs
- Desktop/Mobile applications
- Server-side applications
Demo: Registering an application in Azure AD
::: notes
-
Open a browser and navigate to https://portal.azure.com
-
Navigate to Azure Active Directory
-
Navigate to App registrations
-
Create a new registration using the following settings:
-
Name: Example
-
Supported account types: Accounts in any organization dirctory (Any Azure AD directory - Multitenant)
-
Redirect URI: Public client/native (mobile & desktop) - http://localhost
-
-
In the new registration, navigate to the API permissions section
-
Observe the built-in Microsoft Graph permission for User.Read
:::
Authentication flows
Flow | Description | |
---|---|---|
Authorization code | Native and web apps securely obtain tokens in the name of the user | |
Client credentials | Service applications run without user interaction | |
On-behalf-of | The application calls a service/web API, which in turns calls Microsoft Graph | |
Implicit | Used in browser-based applications | |
Device code | Enables sign-in to a device by using another device that has a browser | |
Integrated Windows | Windows computers silently acquire an access token when they are domain joined | |
Interactive | Mobile and desktops applications call Microsoft Graph in the name of a user | |
Username/password | The application signs in a user by using their username and password |
Interactive authentication flow
::: notes
-
The application redirects the user to the Azure AD sign-in portal, and the user acquires a token interactively from Azure AD
-
The application uses the token to access Microsoft Graph
:::
Device code flow
::: notes
-
The application requests a unique device code from Azure AD
-
The user uses another workstation along with the device code to sign in to the Azure AD sign-in portal
-
The original application acquires a token from Azure AD based on the user sign-in
-
The application uses the token to access Microsoft Graph
:::
Login URL
- One base URL for all login and token queries:
- Relative URLs for specific actions:
- login: \/authorize
- acquire token: \/token
Tenants
- https://login.microsoftonline.com/tenant_id/oauth2/v2.0
- Unique Tenant Id for just your organization
organizations
: Any organizational (work/school) accountconsumers
: Any Microsoft accountcommon
: Any account
::: notes
The different values influence the in-browser user experience when logging in. For example; if you specify the tenant id, then the user will immediately see your organization’s branding.
:::
Authorize with Azure AD using OAuth 2.0
- Navigate to the \/authorize endpoint for login.microsoftonline.com
- Provide appropriate query string parameters
client_id
: Unique Client Id for application registrationresponse_type
: Set tocode
redirect_uri
: One of the Redirect Uris specified in application registration processscope
: List of permissions that you are requesting consent toresponse_mode
: Eitherform_post
orquery
- (Optional)
state
: Sanity-check value
- Provide appropriate query string parameters
- Login using your browser
- Observe the response
- If
response_mode=query
, will include a unique code on the query string- Use this code to acquire a token
- (Optional) Echoes the state parameter
- If
Authorize Query String and URI Parameters
Parameter | Description |
---|---|
client_id |
AAD application unique identifier |
response_type |
Usually code |
redirect_uri |
Where to go after authentication |
response_mode |
Usually query but can be form_post |
scope |
What permissions are required |
state (optional) |
Value that can be used to validate response |
Example Authorization Request
GET https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=06b9debd-a372-496f-916c-856dc9dd1f8a
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2F
&response_mode=query
&scope=user.read
&state=demo
Example Authorization Response
GET http://localhost?
code=6a3095c1-48ca-4d00-939e-eca0e5b8f1a4
&state=demo
Acquire a Bearer Token using OAuth 2.0
- Send a POST request to the \/token endpoint for login.microsoftonline.com
- Provide appropriate form parameters
client_id
: Unique Client Id for application registrationredirect_uri
: One of the Redirect Uris specified in application registration processscope
: List of permissions that you are requesting consent tocode
: Use the value of the code from the authorization requestgrant_type
: Useauthorization_code
- Provide appropriate form parameters
- Observe the response
- The
access_token
property has your OAuth 2.0 Bearer token
- The
Token Query String and URI Parameters
Parameter | Description |
---|---|
client_id |
AAD application unique identifier |
code |
Code from previous request |
grant_type |
authorization_code |
redirect_uri |
Where to go after authentication |
scope |
What permissions are required |
Example Token Request
POST https://login.microsoftonline.com/organizations/oauth2/v2.0/token?
client_id=06b9debd-a372-496f-916c-856dc9dd1f8a
&redirect_uri=http%3A%2F%2Flocalhost%2F
&grant_type=authorization_code
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
::: notes
The code
value has been concatenated for brevity.
:::
Example Token Response
{
"token_type": "Bearer",
"scope": "user.read",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4..."
}
::: notes
The access_token
and refresh_token
values have been concatenated for brevity.
:::
Demo: Manually acquiring a token from Microsoft
::: notes
-
Open a browser and navigate to https://portal.azure.com
-
Navigate to Azure Active Directory
-
Native to your recently created application registration
-
Record the value of the Client Id field
-
Build a URL using the following steps:
-
Start with
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
-
Add the
client_id=
query string value with your unique Client Id from the application registration -
Add the
&redirect_uri=http%3A%2F%2Flocalhost%2F
query string parameter -
Add the
&scope=user.read
query string parameter -
Add the
&response_type=code
query string parameter -
Add the
&response_mode=query
query string parameter
-
-
Open a browser and navigate to the URL that you just built
-
Login using any organizational (work/school) account
-
Consent to the application’s request to view your user profile information (
user.read
) -
Azure AD will redirect to localhost which should return a HTTP 404 error
-
Record the value of the redirect URL that is in the browser address bar
-
Record the value of the
code
query string parameter in the response -
Open a HTTP request tool
- Note: It is recommended to use Postman to demo the HTTP POST request
-
Build a HTTP POST request using the endpoint
https://login.microsoftonline.com/common/oauth2/v2.0/token
and following these steps:-
Add a
client_id
parameter with your unique Client Id from the application registration -
Add a
code
parameter with the code you recorded earlier in this lab -
Add a
redirect_uri
parameter with a value ofhttp://localhost
-
Add a
scope
parameter with a value ofuser.read
-
Add a
grant_type
parameter with a value ofauthorization_code
-
Issue the HTTP POST request
-
-
Observe the JSON response of the request, it should contain an
access_token
property with your MSAL token -
Walkthrough the Graph Explorer at aka.ms/ge
-
Build a HTTP GET request using the endpoint
https://graph.microsoft.com/beta/me
and following these steps:-
Add an OAuth 2.0 bearer token header using your Access Token created earlier.
-
Issue the HTTP GET request
-
-
Observe the result of the request
:::
Microsoft Authentication Library (MSAL)
MSAL SDK
https://docs.microsoft.com/azure/active-directory/develop/msal-overview
- Consistent single library for authentication with all Microsoft identities
- Can be used to access:
- Microsoft Graph
- other Microsoft APIs
- third-party Web APIs
- your own APIs
- Available in various programming languages and platforms:
- .NET
- JavaScript
- Python
- Java
- Android/iOS
Node Package Manager
- Available on NPM
- Vanilla JavaScript
- Angular
- React
UserAgentApplication
- Public client applications
- Applications always sign-in users
- Sign-in using redirect or popup
- Point of configuration for the application
- Examples:
- Single-page apps
- Server-side web applications
- Applications always sign-in users
UserAgentApplication Instantiation
var client = new msal.PublicClientApplication(
...
);
Auth Options
var client = msal.PublicClientApplication({
auth: {
clientId: '<client-id>',
authority: 'https://login.microsoftonline.com/<authority>',
redirectUri: '<redirect-uri>'
}
});
Cache Options
var client = new msal.PublicClientApplication({
cache: {
cacheLocation: 'localStorage' <or> 'sessionStorage'
}
});
Building a request
var request = {
scopes: [ 'user.read' ]
}
Logging in interactively
var loginRequest = {
scopes: [ 'user.read' ]
}
var loginResponse = await client.loginPopup(loginRequest);
Acquring a token interactively
var tokenRequest = {
scopes: [ 'user.read' ],
account: loginResponse.account
}
var tokenResponse = await client.acquireTokenSilent(tokenRequest);
Demo: Browser-based interactive authentication using MSAL.JS
::: notes
-
Open a browser and navigate to https://portal.azure.com
-
Navigate to Azure Active Directory
-
Navigate to your recently created application registration
-
Navigate to the Authentication section
-
Add a new platform with the following settings:
-
Platform: Single-page application
-
Redirect URIs: http://localhost:8080
-
-
Remove the existing Public client/native (mobile & desktop) platform.
-
Save the platform configuration changes
-
Open Visual Studio Code in an empty folder
-
Run
git clone https://github.com/msusdev/example-static-js-app.git .
to clone the sample Node.js web application -
Run
npm install
to install the Node.js dependencies -
Run
npm start
to start the web server and observe the server URL -
Open a browser and navigate to the URL specified in the previous step
- This is typically
http://localhost:8080
- This is typically
-
Observe the basic web application
-
Open the developer tools for your browser
-
Click the Run Code button and observe the console message
-
Return to Visual Studio Code
-
Open the index.html file
-
In the HTML file’s header, add the following element to reference the MSAL.JS (Browser) v2 library:
<script src="https://unpkg.com/@azure/msal-browser@2/lib/msal-browser.min.js" crossorigin></script>
-
Open the index.js file
-
Add the code for this file:
const config = { auth: { clientId: '<client-id>', authority: 'https://login.microsoftonline.com/organizations/', redirectUri: 'http://localhost:8080' } }; var client = new msal.PublicClientApplication(config); var loginRequest = { scopes: [ 'user.read' ] }; let loginResponse = await client.loginPopup(loginRequest); console.log('Login Response', loginResponse);
-
Return to and refresh your browser window
-
Observe the updated messages in the console
-
Return to the index.js file in Visual Studio Code and add the following code:
var tokenRequest = { scopes: [ 'user.read' ], account: loginResponse.account }; let tokenResponse = await client.acquireTokenSilent(tokenRequest); console.log('Token Response', tokenResponse);
-
Return to and refresh your browser window
-
Observe the updated messages in the console
-
Return to the index.js file in Visual Studio Code and add the following code:
let payload = await fetch("https://graph.microsoft.com/v1.0/me", { headers: { 'Authorization': 'Bearer ' + tokenResponse.accessToken } }); let json = await payload.json(); console.log('Graph Response', json);
-
Return to and refresh your browser window
-
Observe the updated messages in the console
:::