Expose account info in @azure/identity credential classes

[wwlorey]

@azure/msal-node's acquireTokenByCode returns an object including AccountInfo such as username. My application requires access to that account info and it would be great if I could access it from @azure/identity's AuthorizationCodeCredential class because the identity package simplifies the auth process and provides the credential classes you need for ARM API calls.

If that isn't possible, do you have any guidance on how to generate a credential object using the MSAL package without having to manage token caching/refreshing manually for the credential?

[sadasant]

Hello, @wwlorey , I’m Daniel. I’ll be doing my best to help you!

We encourage using MSAL packages for use cases that are not directly supported by @azure/identity. We have a sample that tries to showcase how one would write a TokenCredential that underneath uses MSAL: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-with-msal-directly

So, the idea is that anything that has to do with obtaining the token will have to go in the getToken async method of the credential. This means that one can try to silently authenticate before doing a real token request.

I recommend diving into MSAL before continuing on this path. The context provided by MSLA docs will be helpful. For example, it is in fact MSAL who deals with caching and refreshing the tokens. Inside the getToken method of your custom credential, you would need to call to the acquireTokenSilent method in either msalNode.ConfidentialClientApplication or msalNode.PublicClientApplication. If it fails, you can then proceed to call acquireTokenByCode. MSAL has a more detailed example of an authentication flow that uses these methods here: msal-node-samples/b2c-silent-flow/README.md.

Let’s say you have obtained a result from MSAL either from the silent authentication call, or from the acquireTokenByCode call. You will receive an object that is specific to MSAL. To satisfy the TokenCredential‘s getToken return signature, you would do something like the following (meaning, to deconstruct MSAL’s result and extract the token and the expiration date into the format expected by @azure/core-auth‘s AccessToken):

class ConfidentialClientCredential implements TokenCredential {
  constructor(private confidentialApp: msalNode.ConfidentialClientApplication) {}
  async getToken(scopes: string | string[]): Promise<AccessToken> {
    const result = await someWayToGetTheTokenThroughMSAL(scopes);
    return {
      token: result.accessToken,
      expiresOnTimestamp: result.expiresOn.getTime()
    };
  }
}

Does this help? Please let us know. We’ll follow up as soon as we’re able to.

[wwlorey]

Thanks @sadasant, this was super helpful 🙏

I had been looking at MSAL docs on docs.microsoft.com like this one but the samples you linked from this repo seemed more helpful, at least for me. Are any of those samples linked to from articles on docs.microsoft.com? If not that might be a nice way to get the word out about the code samples

[sadasant]

@wwlorey, I’m sending that feedback to our team! We’ll make sure to update the docs as soon as possible. In the meantime, I’ll close this issue. Please feel free to re-open it or to create a new one in case there’s anything that we haven’t answered or anything new that you spot! Feedback like yours helps us get better every day.

[scottaddie]

@wwlorey There are plans to move the content in AzureIdentityExamples.md into docs.microsoft.com, where it's more discoverable and localized. I expect that work to kick off in the coming months.