microsoft-authentication-library-for-js | Microsoft Authentication Library for JS | Azure library

I'm working on an SPA which depends on an instance of Identity Server for authenticating users. I need a solution that manages my tokens locally, but Duende (the owners of Identity Server) lean towards a Backend For Frontend (BFF) pattern over Javascript libraries. This isn't going to work for us. Since the original oidc-client that was written by the authors of Identity Server is no longer maintained I've been looking at Javascript alternatives. The most likely candidate would seem to be Microsoft's MSAL.js which is built for Azure AD, but supposedly supports OIDC standards.

From what I can tell, MSAL.js forces you down an offline_access path using refresh tokens to renew security tokens. Even if I don't expressly require an offline_access scope the library appends one anyway! But my use case doesn't require refresh tokens. Instead I want my client to keep the session on the identity provider fresh using OIDC session mamnagement standards (via the check_session_iframe endpoint exposed by the provider's well-known JSON).

I have found that if I ignore the offline_access scope requested by the MSAL.js library so my identity provider only issues and ID token and an access token then MSAL continues to work just fine. It even has an ssoSilent option for explicitly renewing the tokens via a connect/authorize request in a hidden iframe. But as far as I can tell I can't have the library keeping that session fresh via an iframe like the old oidc-client used to.

So given that session management is part of the OIDC specification, and MSAL is supposed to be an OIDC-compliant library, am I missing something here?

I am trying to get the perfect structure of config and the authority url for my B2C auth application that will be integrated with Azure and React. I did get this structure for my config file and the auth link is specified as in the comments. but I am not able to get the popup screen and the error says that the authority link is invalid.

We are currently successfully running a Node.js Azure Function App deployed in an App Service in Azure with AAD B2C authentication as backend for a React-based Single-Page Application. User authentication in the SPA is done with Azure AAD B2C, where users obtain a JWT Token which is used as Bearer token for all requests against the backend API. This works great.

Due to different reasons, we now need to dockerize our Function App and move it inside a Kubernetes cluster. This prevents us from using the AAD B2C integration of the Function App in the App Service for protecting the API, hence we need a different approach to validate the Bearer tokens of the requests.

From what we understand, there are two possible options to do this:

1. passport.js
2. MSAL

passport.js seems to work great for all Express-based apps and is therefore not suitable for us as our Function App is not Express-based. We also had a look at msal-node and various examples using it, but struggle to understand exactly where and how our token validation fits and which (if any) of the examples fits our use case.

Are we looking in the right direction with msal-node and if so, how can we accomplish the task of protecting a containerized Node.js Azure Function App by validating the Bearer token with the AAD B2C?

I am using MSALjs to logout a user on my application. When the msalService.logoutRedirect() is triggered, the page redirects and is logged out. However, my application does not have an "un-guarded" route, thus the redirect after logout (postLogoutRedirectUri) is set to return to the application's last active page. And when it returns to the application, the MSAL guard automatically finds a valid MS session and logs back in again automatically (after redirects).

If I change the postLogoutRedirectUri to https://login.microsoftonline.com/common/oauth2/logout, the logout does work and I am signed out correctly. However, I would like to immediately be prompted to sign back in, which is why I intend on returning to the application so the MsalGuard can prompt sign in.

Per a recent GitHub issue , one of the MSAL contributors said the following:

This is a nuance of how B2C works. By default B2C might not log you out of your federated identity provider when you call the logout endpoint, this is explained in more detail here. I unfortunately don't know enough about B2C configuration to give you a definitive answer but you may need to create a custom policy which redirects to the AAD logout endpoint you mentioned: 'https://login.microsoftonline.com/common/oauth2/logout' as this endpoint is the one that ultimately closes your session with AAD. You can also have B2C pass through your postLogoutRedirectUri to this endpoint so that AAD redirects you back to your application after the logout instead of ending on the "Close this window" screen, if desired.

How can I set this up so the logout is triggered correctly and all sessions are signed out?

Furthermore, if I manually change the metadata of the openid-config to have the "end_session_endpoint" equal to the microsoftonline logout link from above, the behavior seems to be more in line with what I would expect.

I believe we have everything mentioned in https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/ie-support.md

We have included a promise polyfill at the top of our index.html:

I have a React SPA which uses msal. I have configured Azure AD as Identity Provider for my AADB2C. I can signIn/signOut and other operations.

If my user signs out off my application, I want to also sign out of my Identity Provider. I looked a bit into this matter 1, 2, 3, 4, 5.

At this moment, I use msal's logoutRedirect method.

I'm implementing security for the applications at the company I'm working at right now. I'm using @azure/msal-angular@2.0.2, @azure/msal-browser@2.16.1. I followed the example found here and got it working for the first application. I went on to implement it for the next application, which is basically the same one, just talks to a different api, but the complexity is the same. After possibly doing something wrong I keep getting the error:

I use https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md to setup a single sign-on in angular. So if I click the sign in button then I can login.

My question is that if in other place I already login with my company's credentials so I don't need to login again in the angular application. How my angular application knows I already signed? Therefore I don't need navigation to login component and click sign in button again?

I have implemented SPA in the same way as mentioned here - https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa#configure-your-javascript-spa

I have changed the code as per - https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/issues/61#issuecomment-630953375

Still my code is not working IE 11. Only thing which is different from the above code is I am using MSAL 2.13.1.js.

Does 2.*.js works with IE11 ?

Code which I have used is below. It doesnt redirect to the Microsoft login page in IE 11. It works fine in chrome and edge.