Socket
Socket
Sign inDemoInstall

@azure/msal-common

Package Overview
Dependencies
0
Maintainers
3
Versions
116
Alerts
File Explorer

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

@azure/msal-common


Version published
Maintainers
3
Created

Package description

What is @azure/msal-common?

The @azure/msal-common package is a Microsoft library that provides the core functionality for the authentication protocols OAuth 2.0 and OpenID Connect. It is primarily used in the development of applications that require secure access to Microsoft Azure services. The package serves as a common foundation for other Microsoft authentication libraries, enabling developers to implement authentication features efficiently.

What are @azure/msal-common's main functionalities?

Token Acquisition

This feature allows developers to acquire tokens for accessing secured resources. The code sample demonstrates how to acquire a token using a username and password.

const msal = require('@azure/msal-common');
const pca = new msal.PublicClientApplication({ auth: { clientId: 'your-client-id' } });
pca.acquireTokenByUsernamePassword({
  scopes: ['user.read'],
  username: 'user@example.com',
  password: 'your-password'
}).then(response => console.log(response)).catch(error => console.error(error));

Token Caching

Token caching is crucial for efficient authentication management, reducing the need to request new tokens for each operation. The code sample shows how to read token cache from storage.

const { TokenCache } = require('@azure/msal-common');
const cache = new TokenCache();
cache.readFromStorage('your-storage-key').then(() => {
  const accountInfo = cache.getAccount('user@example.com');
  console.log(accountInfo);
});

Account Management

This feature facilitates the management of user accounts in an application. The code sample retrieves account information based on the username.

const msal = require('@azure/msal-common');
const pca = new msal.PublicClientApplication({ auth: { clientId: 'your-client-id' } });
pca.getAccountByUsername('user@example.com').then(account => {
  console.log(account);
}).catch(error => console.error(error));

Other packages similar to @azure/msal-common

Readme

Source

Microsoft Authentication Library for JavaScript (MSAL.js) (DRAFT)

Getting StartedAAD DocsLibrary ReferenceSupportSamples

The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using Azure AD work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through Azure AD B2C service. It also enables your app to get tokens to access Microsoft Cloud services such as Microsoft Graph.

Build Statusnpm versionnpm version

Installation

Via NPM:

npm install @azure/msal-common

Roadmap and What To Expect From This Library

MSAL support on Javascript is a collection of libraries. msal-common is the platform agnostic core library, and msal-browser is our core library for Single Page Applications (SPAs) without a backend. This library includes improvements for new browser requirements in Safari, as well as an updated token acquisition flow utilizing the OAuth 2.0 Authorization Code Flow.

Our goal is to communicate extremely well with the community and to take their opinions into account. We would like to get to a monthly minor release schedule, with patches comming as often as needed. The level of communication, planning, and granularity we want to get to will be a work in progress.

Please check our roadmap to see what we are working on and what we are tracking next.

OAuth 2.0 and the Implicit Flow vs Authorization Code Flow with PKCE

Msal used to only implement the Implicit Grant Flow, as defined by the OAuth 2.0 protocol and OpenID.

Our goal is that the library abstracts enough of the protocol away so that you can get plug and play authentication, but it is important to know and understand the implicit flow from a security perspective. The implicit flow runs in the context of a web browser which cannot manage client secrets securely. It is optimized for single page apps and has one less hop between client and server so tokens are returned directly to the browser. These aspects make it naturally less secure. These security concerns are mitigated per standard practices such as- use of short lived tokens (and so no refresh tokens are returned), the library requiring a registered redirect URI for the app, library matching the request and response with a unique nonce and state parameter.

However, recent discussion among the IETF community has uncovered numerous vulnerabilities in the implicit flow. The MSAL library will now support the Authorization Code Flow with PKCE for Browser-Based Applications without a backend web server. You can read more about the disadvantages of the implicit flow here.

We plan to continue support for the implicit flow in the library.

Usage

This library is not meant for production use. Please use one of these packages specific to the platform you are developing for:

Prerequisite

Before using MSAL.js you will need to register an application in Azure AD to get a valid clientId for configuration, and to register the routes that your app will accept redirect traffic on.

TBD

You can learn further details about MSAL.js functionality documented in the MSAL Wiki and find complete code samples.

Security Reporting

If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.

License

Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License (the "License");

We Value and Adhere to the Microsoft Open Source Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Keywords

FAQs

Last updated on 18 Jan 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc