Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: msal upgrade #883

Merged
merged 39 commits into from
Apr 22, 2021
Merged

Feature: msal upgrade #883

merged 39 commits into from
Apr 22, 2021

Conversation

thewahome
Copy link
Collaborator

@thewahome thewahome commented Mar 5, 2021
edited
Loading

Overview

Upgrade to msal 2.0
Closes #688

Notes

LogutPopUp is still in design. the default logout implementation opens a redirect flow to log someone out.

We now use a work-around to initiate a popup flow when logging out of the try-it experience. And clear the cache so that the account is logged out of the browser

Testing Instructions

Local

  • You will need a registered client ID. Ensure that you have set the platform in your client ID to SPA and moved your redirect URLs on the azure portal [app registrations]

Online

Steps

  1. logging in and out of:
    -- MSA account
    -- MS account
    -- Demo tenant account

  2. Permissions:
    -- Consent to 1 scope related to a specific url (MSA/MS/Demo)
    -- Consent to many scopes through the panel (MSA/MS/Demo)

  3. Send authenticated requests to the graph

@thewahome thewahome requested review from zengin and jobala March 5, 2021 14:21
@thewahome thewahome requested a review from ddyett March 8, 2021 16:54
@ddyett ddyett requested a review from nikithauc March 8, 2021 20:32
ddyett
ddyett reviewed Mar 8, 2021
View reviewed changes
src/app/services/graph-client/auth/authentication-module.ts Outdated

const defaultScopes = DEFAULT_USER_SCOPES.split(' ');

export class AuthenticationModule {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how did you test that this is now doing the right thing as far as PKCE.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ddyett
Frankly, I have trusted that the msal team has done the right thing. My tests were geared towards whether GE was able to sign in and out effectively into all the accounts. I may need guidance on ways to test this the PKCE way.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thewahome Turn on Fiddler, you'll see a call to /authorize with &code_challenge parameter. That indicates that it is using PKCE.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code

You'll also see the refresh token supplied in the response to /token.

Graph Explorer and MSAL are using the auth code flow as expected. The one thing that we likely aren't doing but should do is set the state token in the initial request to /authorize and then checking on the response from /token that we are getting the same state token. This helps prevent CSRF

@nikithauc
Copy link

Please add doc for all the functions and comments for improving readability. https://www.typescriptlang.org/docs/handbook/jsdoc-supported-types.html.

nikithauc
nikithauc reviewed Mar 8, 2021
View reviewed changes
src/app/services/graph-client/auth/authentication-module.ts Outdated
if (this.msalApplication) {
const allAccounts = this.msalApplication.getAllAccounts();
if (allAccounts && allAccounts.length > 0) {
return allAccounts[0];
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it guaranteed that the first account that is the account[0] will always be the valid or intended account?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AzureAD/microsoft-authentication-library-for-js#2196
AzureAD/microsoft-authentication-library-for-js#1843
The array is not ordered. How is the current logged in account tracked?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing this out. I have seen that the MSAL.js team recommends that we track this user ourselves

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it guaranteed that the first account that is the account[0] will always be the valid or intended account?

Any idea about this? My concern is about picking up the wrong account. It would be a major issue if that happens.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah...
I can use either:

  • msalApplication.getAccountByHomeId
  • msalApplication.getAccountByLocalId
  • msalApplication.getAccountByUsername

This means I'd have to create a way to track either of the identifiers

nikithauc
nikithauc reviewed Mar 8, 2021
View reviewed changes
src/app/services/graph-client/auth/authentication-module.ts Outdated
if (this.msalApplication) {
const allAccounts = this.msalApplication.getAllAccounts();
if (allAccounts && allAccounts.length > 0) {
return allAccounts[0];
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AzureAD/microsoft-authentication-library-for-js#2196
AzureAD/microsoft-authentication-library-for-js#1843
The array is not ordered. How is the current logged in account tracked?

src/app/services/graph-client/auth/authentication-module.ts Outdated Show resolved Hide resolved
src/app/services/graph-client/auth/authentication-module.ts Outdated Show resolved Hide resolved
src/app/services/graph-client/auth/authentication-module.ts Outdated Show resolved Hide resolved
@nikithauc
Copy link

Good work on adding a class structure and organizing the code :)

@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2021

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

github-actions bot commented Apr 7, 2021

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

github-actions bot commented Apr 7, 2021

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

ElinorW
ElinorW reviewed Apr 8, 2021
View reviewed changes
src/app/services/graph-constants.ts
export const DEFAULT_USER_SCOPES = 'openid profile User.Read';
export const DEVX_API_URL = 'https://graphexplorerapi.azurewebsites.net';
export const GRAPH_API_SANDBOX_URL = 'https://proxy.apisandbox.msdn.microsoft.com';
export const HOME_ACCOUNT_KEY = 'fbf1ecbe-27ab-42d7-96d4-3e6b03682ee4';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just wondering if this can be stored in the .env file instead

@github-actions
Copy link
Contributor

github-actions bot commented Apr 8, 2021

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

nikithauc
nikithauc reviewed Apr 19, 2021
View reviewed changes
src/modules/authentication/AuthenticationWrapper.ts

if (allAccounts.length > 1) {
const homeAccountId = this.getHomeAccountId();
return (homeAccountId) ? msalApplication.getAccountByHomeId(homeAccountId) || undefined : undefined;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use msalApplication.getAccountByHomeId(homeAccountId) || undefined?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function msalApplication.getAccountByHomeId(homeAccountId) returns AccountInfo | null, however the references of the getAccount() function expects AccountInfo | undefined. So if the msalApp returns null I default it to undefined so that nothing breaks

nikithauc
nikithauc reviewed Apr 19, 2021
View reviewed changes
src/modules/authentication/AuthenticationWrapper.ts Outdated
export class AuthenticationWrapper implements IAuthenticationWrapper {

private static instance: AuthenticationWrapper;
private isConsentFlow: boolean = false;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a summary explaining the role of the properties and functions.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nikithauc I tried to limit using comments by instead using variable and function names that could be self-documenting; Unless when documenting a major decision eg the clearCache() function. Does this mean the properties and functions do not convey the meaning?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I didn't understand what isConsentFlow means?

@github-actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@github-actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://jolly-sand-0ac78c710-883.centralus.azurestaticapps.net

@thewahome thewahome merged commit 7e42892 into dev Apr 22, 2021
thewahome added a commit that referenced this pull request May 5, 2021
@thewahome
chore(release): 4.6.0 (#938)
69758cb 
* Task: state typings (#921)

* Feature: Enhance 'More actions' icon appearance (#907)

* Feature: msal upgrade (#883)
@thewahome thewahome deleted the feature/msal-upgrade branch August 9, 2021 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikithauc nikithauc nikithauc approved these changes

@ElinorW ElinorW ElinorW approved these changes

@zengin zengin Awaiting requested review from zengin

@jobala jobala Awaiting requested review from jobala

@MIchaelMainer MIchaelMainer Awaiting requested review from MIchaelMainer

@ddyett ddyett Awaiting requested review from ddyett

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to get Graph Explorer API token Investigate and implement use of MSAL.js 2.0 which is now available
5 participants
@thewahome @nikithauc @MIchaelMainer @ElinorW @ddyett