Create MSAL 2.0 provider

[Olli64]

Greetings!

Is there going to be msal 2.0 support any time soon? We cannot use this toolkit before we can use auth code + pkce that was featured in msal 2.0

Br, Olli

[ghost]

Hello Olli64, thank you for opening an issue with us!

I have automatically added a "needs triage" label to help get things started. Our team will analyze and investigate the issue, and escalate it to the relevant team if possible. Other community members may also look into the issue and provide feedback 🙌

[nmetulev]

Hey @Olli64, an msal 2.0 support sounds like a great idea. We can add that to our backlog and use this issue to track the progress.

In the short term, you can leverage msal 2.0 by using the SimpleProvider with your own implementation of msal 2.0

[Olli64]

Great, thanks for advice, I'll look into it!

[ozippy]

It took me a few hours to work out why I couldn't get the component for React to work. All that would happen would be I would sign-in and end up back at the sign-in button. No errors reported in the console. With some help from Fiddler, I worked out that it was because the Azure app registration was not configured for multi-tenant. It might be useful to highlight that in the docs. (I found it once I knew to look for it).

It seems that Implicit grant is no longer recommended, so am I right in thinking that I really need to use MSAL 2.0?

I don't want to use multi-tenant and with the changes to registrations, that seems even more relevant. "Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers. Add MPN ID to verify publisher"

I'll have a look at the SimpleProvider option.

Thanks and Happy Christmas :)

[nmetulev]

@ozippy, might be a bit late with my reply, but you should be able to use a single tenant registration with the current msalprovider - you would just need to make sure to specify the tenant id in the authority property/attribute

[waldekmastykarz]

@ozippy here is a sample of how the config would look like: https://blog.mastykarz.nl/single-tenant-azure-ad-apps-microsoft-graph-toolkit/

[ozippy]

Thanks @nmetulev and @waldekmastykarz. I'll give it a try.

[BigBlueHat]

Once #969 is merged will this allow my Azure Web App-based authentication flow (using AzureAD) to share auth credentials/login state with the mgt-msal-provider which uses the same client-id?

Right now, folks have to login to the full screen (redirect flow) auth and click "Sign In" on the mgt-login widget...

I'm essentially using the Azure Web App Authentication to secure the rest of the APIs served from this Web App, but I'm mixing in MGT stuff in relationship to what those API's provide. FWIW. 😃

[waldekmastykarz]

I don't think that will be an option. Easy auth (Azure web app authentication) when used in the browser by navigating to the site, is using cookie-based auth, whereas MGT uses OAuth to obtain an access token. As far as I know, there is no way to exchange the cookie for an access token. Is there a specific reason why you're using both Easy Auth and MSAL provider rather than just the MSAL provider?

[BigBlueHat]

I'm also deploying an API which wraps external API's who's auth keys are stored in the Azure Web App's config. I don't want those endpoints open to the world, so that bit needs it's own securing--hence Azure Web App Authentication. The MSAL stuff is there for Microsoft Graph--which I suppose I could also push through a locally deployed proxy?

[BigBlueHat]

It seems like it would be possible perhaps by passing in the userAgentApplication value mentioned in https://docs.microsoft.com/en-us/graph/toolkit/providers/msal#pass-an-existing-useragentapplication-in-the-useragentapplication-property

Or perhaps by setting up a custom Provider that used the already present authentication information from Azure Web App Authentication/Easy Auth.

[nmetulev]

Are you able to pass an sid or a login hint (email) from the Azure Web App down to the client for the current signed in user? The Msal2Provider leverages ssoLogin for signing in, and (as I understand it) if one of those is present and the client id is the same, it should sso sign in the user on the client leveraging the cookie that was placed when the user signed in.

We will have a preview of the msal 2 provider hopefully this week, would you be able to help us test this scenario?

[nmetulev]

Msal2Provider added in #1043