Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@azure/msal-react
Advanced tools
@azure/msal-react is a library that provides React components and hooks for integrating with the Microsoft Authentication Library (MSAL). It allows developers to easily add authentication and authorization to their React applications using Microsoft identity platform.
Authentication
This feature allows you to set up authentication in your React application. The code sample demonstrates how to initialize the MSAL provider and use a login popup to authenticate users.
import { MsalProvider, useMsal } from '@azure/msal-react';
import { PublicClientApplication } from '@azure/msal-browser';
const msalInstance = new PublicClientApplication({
auth: {
clientId: 'your-client-id',
authority: 'https://login.microsoftonline.com/your-tenant-id',
redirectUri: 'http://localhost:3000'
}
});
function App() {
return (
<MsalProvider instance={msalInstance}>
<YourComponent />
</MsalProvider>
);
}
function YourComponent() {
const { instance, accounts } = useMsal();
const handleLogin = () => {
instance.loginPopup().catch(e => {
console.error(e);
});
};
return (
<div>
<button onClick={handleLogin}>Login</button>
{accounts.length > 0 && <p>Welcome, {accounts[0].username}</p>}
</div>
);
}
Authorization
This feature allows you to acquire tokens for accessing protected resources. The code sample demonstrates how to silently acquire an access token for a specific scope.
import { useMsal } from '@azure/msal-react';
function YourComponent() {
const { instance, accounts } = useMsal();
const handleGetToken = () => {
const request = {
scopes: ['user.read'],
account: accounts[0]
};
instance.acquireTokenSilent(request).then(response => {
console.log('Access Token:', response.accessToken);
}).catch(e => {
console.error(e);
});
};
return (
<div>
<button onClick={handleGetToken}>Get Token</button>
</div>
);
}
Protected Routes
This feature allows you to protect routes in your React application. The code sample demonstrates how to create a protected route that only authenticated users can access.
import { MsalProvider, useIsAuthenticated } from '@azure/msal-react';
import { PublicClientApplication } from '@azure/msal-browser';
import { BrowserRouter as Router, Route, Redirect } from 'react-router-dom';
const msalInstance = new PublicClientApplication({
auth: {
clientId: 'your-client-id',
authority: 'https://login.microsoftonline.com/your-tenant-id',
redirectUri: 'http://localhost:3000'
}
});
function ProtectedRoute({ component: Component, ...rest }) {
const isAuthenticated = useIsAuthenticated();
return (
<Route
{...rest}
render={props =>
isAuthenticated ? (
<Component {...props} />
) : (
<Redirect to={{ pathname: '/login', state: { from: props.location } }} />
)
}
/>
);
}
function App() {
return (
<MsalProvider instance={msalInstance}>
<Router>
<ProtectedRoute path='/protected' component={ProtectedComponent} />
</Router>
</MsalProvider>
);
}
react-aad-msal is another library for integrating Azure AD authentication in React applications. It provides higher-level abstractions and components for handling authentication, but it may not be as actively maintained as @azure/msal-react.
react-azure-adb2c is a library specifically designed for integrating Azure AD B2C authentication in React applications. It offers a simpler API for B2C scenarios but lacks some of the advanced features and flexibility of @azure/msal-react.
oidc-client is a general-purpose library for OpenID Connect (OIDC) and OAuth2 authentication. It can be used with various identity providers, including Azure AD. However, it requires more manual setup and configuration compared to @azure/msal-react.
Getting Started | AAD Docs | Library Reference | Samples |
---|
The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using Azure AD work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through Azure AD B2C service. It also enables your app to get tokens to access Microsoft Cloud services such as Microsoft Graph.
The @azure/msal-react
package described by the code in this folder uses the @azure/msal-browser
package as a peer dependency to enable authentication in Javascript Single-Page Applications without backend servers. This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section in the @azure/msal-browser readme.
@azure/msal-react
is meant to be used in Single-Page Application scenarios.
Before using @azure/msal-react
you will need to register a Single Page Application in Azure AD to get a valid clientId
for configuration, and to register the routes that your app will accept redirect traffic on.
MSAL React version | MSAL support status | Supported React versions |
---|---|---|
MSAL React v2 | Active development | 16, 17, 18 |
MSAL React v1 | In maintenance | 16, 17, 18 |
Note: There have been no functional changes in the MSAL React v2 release.
The MSAL React package is available on NPM.
npm install react react-dom
npm install @azure/msal-react @azure/msal-browser
See the contributing.md
file for more information.
To build the @azure/msal-react
library, you can do the following:
// Install dev dependencies from root of repo
npm install
// Change to the msal-react package directory
cd lib/msal-react/
// To run build only for react package
npm run build
To build both the @azure/msal-react
library and @azure/msal-browser
libraries, you can do the following:
// Install dev dependencies from root of repo
npm install
// Change to the msal-react package directory
cd lib/msal-react/
// To run build for react and browser packages
npm run build:all
@azure/msal-react
uses jest to run unit tests and coverage.
// To run tests
npm test
// To run tests with code coverage
npm run test:coverage
For help getting started with @azure/msal-react
please see our getting started doc.
Migrating from react-aad-msal? Check out our migration guide.
Since @azure/msal-react
is a wrapper around @azure/msal-browser
many docs from the msal-browser
repo are relevant here as well. For concepts specific to @azure/msal-react
please see below
Our samples directory contains several example apps you can spin up to see how this library can be used in different contexts.
More advanced samples backed with a tutorial can be found in the Azure Samples space on GitHub:
If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
FAQs
Microsoft Authentication Library for React
The npm package @azure/msal-react receives a total of 221,753 weekly downloads. As such, @azure/msal-react popularity was classified as popular.
We found that @azure/msal-react demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.