Security News
pnpm 9.5 Introduces Catalogs: Shareable Dependency Version Specifiers
pnpm 9.5 introduces a Catalogs feature, enabling shareable dependency version specifiers, reducing merge conflicts and improving support for monorepos.
@azure/msal-common
Advanced tools
Package description
The @azure/msal-common package is a Microsoft library that provides the core functionality for the authentication protocols OAuth 2.0 and OpenID Connect. It is primarily used in the development of applications that require secure access to Microsoft Azure services. The package serves as a common foundation for other Microsoft authentication libraries, enabling developers to implement authentication features efficiently.
Token Acquisition
This feature allows developers to acquire tokens for accessing secured resources. The code sample demonstrates how to acquire a token using a username and password.
const msal = require('@azure/msal-common');
const pca = new msal.PublicClientApplication({ auth: { clientId: 'your-client-id' } });
pca.acquireTokenByUsernamePassword({
scopes: ['user.read'],
username: 'user@example.com',
password: 'your-password'
}).then(response => console.log(response)).catch(error => console.error(error));
Token Caching
Token caching is crucial for efficient authentication management, reducing the need to request new tokens for each operation. The code sample shows how to read token cache from storage.
const { TokenCache } = require('@azure/msal-common');
const cache = new TokenCache();
cache.readFromStorage('your-storage-key').then(() => {
const accountInfo = cache.getAccount('user@example.com');
console.log(accountInfo);
});
Account Management
This feature facilitates the management of user accounts in an application. The code sample retrieves account information based on the username.
const msal = require('@azure/msal-common');
const pca = new msal.PublicClientApplication({ auth: { clientId: 'your-client-id' } });
pca.getAccountByUsername('user@example.com').then(account => {
console.log(account);
}).catch(error => console.error(error));
This package is a collection of Passport Strategies to help you integrate with Azure Active Directory. It is similar to @azure/msal-common but is specifically tailored for Node.js applications using Passport.js, making it more suitable for applications that already use Passport.js for other authentication needs.
oidc-client is a client-side library to help with OpenID Connect (OIDC) and OAuth2 protocol flows in web, desktop, and mobile applications. Unlike @azure/msal-common, which is optimized for Azure services, oidc-client is more generic and can be used with any OIDC-compliant identity provider.
Readme
Getting Started | AAD Docs | Library Reference | Support | Samples |
---|
The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using Azure AD work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through Azure AD B2C service. It also enables your app to get tokens to access Microsoft Cloud services such as Microsoft Graph.
npm install @azure/msal-common
MSAL support on Javascript is a collection of libraries. msal-common
is the platform agnostic core library, and msal-browser
is our core library for Single Page Applications (SPAs) without a backend. This library includes improvements for new browser requirements in Safari, as well as an updated token acquisition flow utilizing the OAuth 2.0 Authorization Code Flow.
Our goal is to communicate extremely well with the community and to take their opinions into account. We would like to get to a monthly minor release schedule, with patches comming as often as needed. The level of communication, planning, and granularity we want to get to will be a work in progress.
Please check our roadmap to see what we are working on and what we are tracking next.
Msal used to only implement the Implicit Grant Flow, as defined by the OAuth 2.0 protocol and OpenID.
Our goal is that the library abstracts enough of the protocol away so that you can get plug and play authentication, but it is important to know and understand the implicit flow from a security perspective. The implicit flow runs in the context of a web browser which cannot manage client secrets securely. It is optimized for single page apps and has one less hop between client and server so tokens are returned directly to the browser. These aspects make it naturally less secure. These security concerns are mitigated per standard practices such as- use of short lived tokens (and so no refresh tokens are returned), the library requiring a registered redirect URI for the app, library matching the request and response with a unique nonce and state parameter.
However, recent discussion among the IETF community has uncovered numerous vulnerabilities in the implicit flow. The MSAL library will now support the Authorization Code Flow with PKCE for Browser-Based Applications without a backend web server. You can read more about the disadvantages of the implicit flow here.
We plan to continue support for the implicit flow in the library.
This library is not meant for production use. Please use one of these packages specific to the platform you are developing for:
Before using MSAL.js you will need to register an application in Azure AD to get a valid clientId
for configuration, and to register the routes that your app will accept redirect traffic on.
TBD
You can learn further details about MSAL.js functionality documented in the MSAL Wiki and find complete code samples.
If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License (the "License");
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
FAQs
Unknown package
We found that @azure/msal-common demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 9.5 introduces a Catalogs feature, enabling shareable dependency version specifiers, reducing merge conflicts and improving support for monorepos.
Security News
A threat actor on BreachForums is selling an unverified npm vulnerability for account takeover, but npm has not officially confirmed the existence of this security concern.
Security News
Cyber insurance rates are dropping as the market matures, according to a new report projecting global premiums to reach $43 billion by 2030, driven by international market uptake and growth in the SME sector.