Feature: msal upgrade #883
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| import { | ||
| AccountInfo, | ||
| AuthenticationResult, InteractionRequiredAuthError, | ||
| PopupRequest, PublicClientApplication, SilentRequest | ||
| } from '@azure/msal-browser'; | ||
|
|
||
| import { geLocale } from '../../../../appLocale'; | ||
| import { AUTH_URL, DEFAULT_USER_SCOPES } from '../../graph-constants'; | ||
|
|
||
| const defaultScopes = DEFAULT_USER_SCOPES.split(' '); | ||
|
|
||
| export class AuthenticationModule { | ||
|
|
||
| private msalApplication: PublicClientApplication; | ||
|
|
||
| constructor(msalApplication: PublicClientApplication) { | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| this.msalApplication = msalApplication; | ||
| } | ||
|
|
||
| public getAccount(): AccountInfo | undefined { | ||
| if (this.msalApplication) { | ||
| const allAccounts = this.msalApplication.getAllAccounts(); | ||
| if (allAccounts && allAccounts.length > 0) { | ||
| return allAccounts[0]; | ||
|
There was a problem hiding this comment. Is it guaranteed that the first account that is the account[0] will always be the valid or intended account? There was a problem hiding this comment. AzureAD/microsoft-authentication-library-for-js#2196 There was a problem hiding this comment. Thanks for pointing this out. I have seen that the MSAL.js team recommends that we track this user ourselves There was a problem hiding this comment.
Any idea about this? My concern is about picking up the wrong account. It would be a major issue if that happens. There was a problem hiding this comment. Yeah...
This means I'd have to create a way to track either of the identifiers |
||
| } | ||
| } | ||
| return undefined; | ||
| } | ||
|
|
||
| public async getToken() { | ||
| const silentRequest = { | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| scopes: defaultScopes, | ||
| authority: this.getAuthority(), | ||
| account: this.getAccount() | ||
| }; | ||
| const authResponse = await this.msalApplication.acquireTokenSilent(silentRequest); | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| return authResponse; | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
|
|
||
| public async getAuthResult(scopes: string[] = [], sessionId?: string): Promise<AuthenticationResult> { | ||
| const userScopes = (scopes.length > 0) ? scopes : defaultScopes; | ||
| const silentRequest: SilentRequest = { | ||
| scopes: userScopes, | ||
| authority: this.getAuthority(), | ||
| account: this.getAccount() | ||
| }; | ||
|
|
||
| try { | ||
| const authResponse: AuthenticationResult = await this.msalApplication.acquireTokenSilent(silentRequest); | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| return authResponse; | ||
| } catch (error) { | ||
| if (error instanceof InteractionRequiredAuthError || this.getAccount() === undefined) { | ||
| return this.loginWithInteraction(userScopes, sessionId); | ||
| } else { | ||
| throw error; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| private getAuthority(): string { | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| // support for tenanted endpoint | ||
| const urlParams = new URLSearchParams(location.search); | ||
| let tenant = urlParams.get('tenant'); | ||
|
|
||
| if (tenant === null) { | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| tenant = 'common'; | ||
| } | ||
|
|
||
| return `${AUTH_URL}/${tenant}/`; | ||
| } | ||
|
|
||
| private async loginWithInteraction(userScopes: string[], sessionId?: string) { | ||
| const popUpRequest: PopupRequest = { | ||
| scopes: userScopes, | ||
| authority: this.getAuthority(), | ||
| prompt: 'select_account', | ||
| redirectUri: this.getCurrentUri(), | ||
| extraQueryParameters: { mkt: geLocale } | ||
| }; | ||
|
|
||
| if (sessionId) { | ||
| popUpRequest.sid = sessionId; | ||
| } | ||
|
|
||
| try { | ||
| const authResponse: AuthenticationResult = await this.msalApplication.loginPopup(popUpRequest); | ||
| return authResponse; | ||
| } catch (error) { | ||
| throw error; | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * get current uri for redirect uri purpose | ||
| * ref - https://github.com/AzureAD/microsoft-authentication-library-for | ||
| * -js/blob/9274fac6d100a6300eb2faa4c94aa2431b1ca4b0/lib/msal-browser/src/utils/BrowserUtils.ts#L49 | ||
| */ | ||
| private getCurrentUri(): string { | ||
| const currentUrl = window.location.href.split('?')[0].split('#')[0]; | ||
| return currentUrl.toLowerCase(); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| import { PublicClientApplication } from '@azure/msal-browser'; | ||
| import { AuthenticationProvider } from '@microsoft/microsoft-graph-client'; | ||
|
|
||
| import { AuthenticationModule } from './authentication-module'; | ||
|
|
||
| export class CustomAuthenticationProvider implements AuthenticationProvider { | ||
|
|
||
| private msalApplication: PublicClientApplication; | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| constructor(msalApplication: PublicClientApplication) { | ||
| this.msalApplication = msalApplication; | ||
| } | ||
|
|
||
| /** | ||
| * getAccessToken | ||
| */ | ||
| public async getAccessToken(): Promise<string> { | ||
| try { | ||
| const authModule = new AuthenticationModule(this.msalApplication); | ||
| const authResult = await authModule.getAuthResult(); | ||
| return authResult.accessToken; | ||
| } catch (error) { | ||
| throw error; | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| import { LoginType } from '../../../../types/enums'; | ||
thewahome marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| /** | ||
| * Returns whether to load the POPUP/REDIRECT interaction | ||
| * @returns string | ||
| */ | ||
|
|
||
| export function getLoginType() { | ||
| const userAgent = window.navigator.userAgent; | ||
| const msie = userAgent.indexOf('MSIE '); | ||
| const msie11 = userAgent.indexOf('Trident/'); | ||
| const msedge = userAgent.indexOf('Edge/'); | ||
| const isIE = msie > 0 || msie11 > 0; | ||
| const isEdge = msedge > 0; | ||
| return isIE || isEdge ? LoginType.Redirect : LoginType.Popup; | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how did you test that this is now doing the right thing as far as PKCE.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ddyett
Frankly, I have trusted that the msal team has done the right thing. My tests were geared towards whether GE was able to sign in and out effectively into all the accounts. I may need guidance on ways to test this the PKCE way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thewahome Turn on Fiddler, you'll see a call to /authorize with &code_challenge parameter. That indicates that it is using PKCE.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code
You'll also see the refresh token supplied in the response to /token.
Graph Explorer and MSAL are using the auth code flow as expected. The one thing that we likely aren't doing but should do is set the state token in the initial request to /authorize and then checking on the response from /token that we are getting the same state token. This helps prevent CSRF