Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Without iFrame and silently login user approach #7465

Open
2 tasks
webelieve opened this issue Dec 13, 2024 · 0 comments
Open
2 tasks

Without iFrame and silently login user approach #7465

webelieve opened this issue Dec 13, 2024 · 0 comments
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-angular Related to @azure/msal-angular package msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@webelieve
Copy link

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2

Public or Confidential Client?

Public

Description

Silent Token Acquisition with Refresh Tokens: If the user has already authenticated and you have a refresh token, you can use it to silently acquire new access tokens without user interaction. This method does not involve iframes or popups.

// src/App.js
import React, { useEffect } from 'react';
import { useMsal } from '@azure/msal-react';
import { loginRequest } from './authConfig';

const App = () => {
const { instance, accounts } = useMsal();

useEffect(() => {
    if (accounts.length > 0) {
        instance.acquireTokenSilent({
            ...loginRequest,
            account: accounts[0]
        }).then(response => {
            console.log("Access token acquired silently:", response.accessToken);
        }).catch(error => {
            console.error("Silent token acquisition failed:", error);
        });
    }
}, [accounts, instance]);

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

export const msalConfig = {
    auth: {
        clientId: "your-client-id",
        authority: "https://login.microsoftonline.com/your-tenant-id",
        redirectUri: "http://localhost:3000"
    },
    cache: {
        cacheLocation: "localStorage",
        storeAuthStateInCookie: true
    }
};

Relevant Code Snippets

// src/App.js
import React, { useEffect } from 'react';
import { useMsal } from '@azure/msal-react';
import { loginRequest } from './authConfig';

const App = () => {
    const { instance, accounts } = useMsal();

    useEffect(() => {
        if (accounts.length > 0) {
            instance.acquireTokenSilent({
                ...loginRequest,
                account: accounts[0]
            }).then(response => {
                console.log("Access token acquired silently:", response.accessToken);
            }).catch(error => {
                console.error("Silent token acquisition failed:", error);
            });
        }
    }, [accounts, instance]);

Reproduction Steps

Using Iframes

Pros:

  • Seamless User Experience: Iframes allow for silent token acquisition without disrupting the user’s interaction with the main application.
  • No Popups: Avoids the need for popups, which can be blocked by browsers or be intrusive to users2.

Cons:

  • Security Restrictions: Many modern browsers and security policies block iframes due to potential security risks, such as clickjacking.
  • X-Frame-Options: Azure AD sets the X-Frame-Options header to DENY, which prevents the use of iframes for authentication in many cases.
  • Complex Error Handling: Handling errors and ensuring proper fallback mechanisms can be more complex with iframe.

Without Using Iframes (e.g., Using Refresh Tokens or Popups)

Pros:

  • Better Security: Avoids issues related to iframe restrictions and potential security vulnerabilities.
  • Browser Compatibility: More compatible with modern browser security policies and settings.
  • Simpler Debugging: Easier to debug and handle errors compared to iframe-based solutions.

Cons:

  • User Interaction: May require user interaction if silent token acquisition fails, such as prompting for login again.
  • Token Management: Requires careful management of refresh tokens and handling their lifecycle.
  • Conclusion
  • If security and compatibility are your primary concerns, avoiding iframes and using methods like refresh tokens or popups might be the better approach. However, if you prioritize a seamless user experience and can manage the security implications, using iframes can be effective.

Expected Behavior

Silent Token Acquisition with Refresh Tokens: If the user has already authenticated and you have a refresh token, you can use it to silently acquire new access tokens without user interaction. This method does not involve iframes or popups.

Any suggestions? Thanks!

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Edge

Regression

No response

@webelieve webelieve added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Dec 13, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Dec 13, 2024
@github-actions github-actions bot added msal-angular Related to @azure/msal-angular package msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications labels Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-angular Related to @azure/msal-angular package msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Development

No branches or pull requests

1 participant