Open kenotron opened 2 weeks ago
cc @bgavrilMS to consider this for msal-node
I think the other big motivating factor is that keytar
is deprecated and unmaintained since 2022:
http://github.com/atom/node-keytar
MSAL should use a maintained package to store secrets. Especially when those secrets are auth tokens.
Agreed, @bgavrilMS - Please make sure that this is prioritized, as there is a good story from Windows to use wsl2 for node.js & frontend devs
Core Library
MSAL Node (@azure/msal-node)
Wrapper Library
MSAL Node Extensions (@azure/msal-node-extensions)
Public or Confidential Client?
Public
Description
Currently, the msal-node-extensions imposes a dependency on
keytar
. This is a cross-platform library that abstracts keystore. On Windows, this extension already handles credential persistence via the in-built Data Protection. On Linux, thekeytar
library depends on libsecret, which is then dependent on a dbus... this is not available in headless workloads like WSL2. A better approach is to utilize@napi-rs/keyring
which is a thinnapi-rs
wrapper on top of thekeyring-rs
crate written in Rust. There, the secret store is implemented natively in Rust as well. https://www.npmjs.com/package/@napi-rs/keyring uses https://github.com/hwchen/keyring-rs uses https://github.com/hwchen/secret-service-rs ... this means that headless workloads can also use keystores with this implementation.In addition, the author of the @napi-rs/keyring was recently awarded OSS fund from MSFT which means that the author is a credible source of quality code. I highly recommend us to move away from
keytar
.Source
Internal (Microsoft)