search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.52k stars 2.62k forks source link

Migrate the msal-node-extensions to use @napi-rs/keyring instead of keytar #7170

Open kenotron opened 2 weeks ago

kenotron commented 2 weeks ago

Core Library

MSAL Node (@azure/msal-node)

Wrapper Library

MSAL Node Extensions (@azure/msal-node-extensions)

Public or Confidential Client?

Public

Description

Currently, the msal-node-extensions imposes a dependency on keytar. This is a cross-platform library that abstracts keystore. On Windows, this extension already handles credential persistence via the in-built Data Protection. On Linux, the keytar library depends on libsecret, which is then dependent on a dbus... this is not available in headless workloads like WSL2. A better approach is to utilize @napi-rs/keyring which is a thin napi-rs wrapper on top of the keyring-rs crate written in Rust. There, the secret store is implemented natively in Rust as well. https://www.npmjs.com/package/@napi-rs/keyring uses https://github.com/hwchen/keyring-rs uses https://github.com/hwchen/secret-service-rs ... this means that headless workloads can also use keystores with this implementation.

In addition, the author of the @napi-rs/keyring was recently awarded OSS fund from MSFT which means that the author is a credible source of quality code. I highly recommend us to move away from keytar.

Source

Internal (Microsoft)

sameerag commented 2 weeks ago

cc @bgavrilMS to consider this for msal-node

TylerLeonhardt commented 2 weeks ago

I think the other big motivating factor is that keytar is deprecated and unmaintained since 2022: http://github.com/atom/node-keytar

MSAL should use a maintained package to store secrets. Especially when those secrets are auth tokens.

kenotron commented 2 weeks ago

Agreed, @bgavrilMS - Please make sure that this is prioritized, as there is a good story from Windows to use wsl2 for node.js & frontend devs