Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
react-native-msal
Advanced tools
Requires React Native >=0.61
$ yarn add react-native-msal
Before setting up your React Native app, you must register your application in the Azure Portal.
msauth://<PACKAGE>/<BASE64_URL_ENCODED_PACKAGE_SIGNATURE>
.
.keystore
file, or from the Google Play Console if you have automatic app signing turned on.
.keystore
file.echo -n "<YOUR_SHA1_SIGNATURE>" | openssl dgst -binary -sha1 | openssl base64
.android/app/src/main/assets
) named msal_config.json
containing your MSAL configuration. If you don't have an assets
folder already, you will need to create one.AndroidManifest.xml
file as described here.Follow the steps as described here. Steps include:
msauth.[BUNDLE_ID]://auth
com.microsoft.adalcache
Info.plist
file, which will be in the format of msauth.[BUNDLE_ID]PublicClientApplication
classThis class is designed to be a thin wrapper around the native functionality of the Android and iOS MSAL libraries.
const config: MSALConfiguration = {
auth: {
clientId: 'your-client-id',
// authority: 'default-authority',
},
};
const pca = new PublicClientApplication(config);
If you don't provide an authority, the common one will be used. This authority will be used as the default for calls to acquireToken
and acquireTokenSilent
.
const params: MSALInteractiveParams = {
scopes: ['scope1', 'scope2'],
};
const result: MSALResult = await pca.acquireToken(params);
You must use this method before any calls to acquireTokenSilent
.
Use the accessToken
from the MSALResult to call your API.
Store the account
from the result for acquiring tokens silently or for removing the account.
const params: MSALSilentParams = {
scopes: ['scope1', 'scope2'],
account: result.account,
// forceRefresh: true,
};
const result = await pca.acquireTokenSilent(params);
You can force the token to refresh with the forceRefresh
option
const accounts: MSALAccount[] = await pca.getAccounts();
Instead of storing the account
from a MSALResult for an acquireTokenSilent
method call, you can filter the MSALAccount[] result for a particular account and use it.
const res: boolean = await pca.removeAccount(result.account);
Alternatively, you can call the signOut
method:
const params: MSALSignoutParams = {
account: result.account,
// signoutFromBrowser: true
};
const res: boolean = await pca.signOut(params);
On Android, this is the same as removeAccount
, but on iOS, if you call it with signoutFromBrowser: true
, it will sign you out of the browser as well.
The PublicClientApplication
class is a bit too bare bones for dealing with a B2C application, and you will need to write a bit of code to get the desired behavior.
To address this issue, the example app that is included in this repository includes a B2CClient
class which contains a lot of the functionality you will need for a B2C app. You can copy this class right into your own React Native app and modify it to your liking. You can see it being used in the example's App.tsx
If you would like to see this class included in the library itself, please create an issue requesting so.
As mentioned above, the example app demonstrates a B2C implementation
To run the example, first:
yarn bootstrap
msauth://com.example/P6akJ4YYsuUDahjqGra9mAflzdA%3D
msauth.com.example://auth
b2cConfig
object in msalConfig.ts
with your detailsmsal_config.json
asset file to include your client id and authoritiesyarn example android
yarn example ios
See breaking changes in CHANGELOG.md.
Default exported class renamed from MSALClient
to PublicClientApplication
and constructor now accepts an MSALConfiguration
object instead of a clientId
string.
-import MSALClient from 'react-native-msal';
+import MSALClient, { MSALConfiguration } from 'react-native-msal';
-const msalClient = new MSALClient(clientId);
+const config: MSALConfiguration = {
+ auth: {
+ clientId,
+ },
+};
+const msalClient = new MSALClient(config);
MSALAccount
and accountIdentifier
propertiesThe MSALAccount
definition has been modified to include a new Claims
dictionary. All methods that previously consumed the identifier
from this type should now provide the entire MSALAccount
object instead.
const result = msalClient.acquireTokenSilent({
authority,
scopes,
- accountIdentifier: account.identifier,
+ account,
});
signOut
methodThe signout
method has been renamed signOut
and authority
removed from the MSALSignoutParams
.
-await msalClient.signout({
- authority,
+await msalClient.signOut({
removeAccount
methodMSALRemoveAccountParams
has been removed and so the removeAccount
method only requires the account
.
-await msalClient.removeAccount({
+await msalClient.removeAccount(
- authority,
account,
-})
+)
ios_prefersEphemeralWebBrowserSession
has moved from acquireToken()
and signOut()
parameters into the new webviewParameters
in MSALInteractiveParams
and MSALSignoutParams
respectively.
-ios_prefersEphemeralWebBrowserSession: true,
+webviewParameters: {
+ ios_prefersEphemeralWebBrowserSession: true,
+},
expiresOn
MSALResult.expiresOn
now returns a value in seconds instead of milliseconds.
MSALResult
interfaceThe result returned from an acquireToken
or acquireTokenSilent
call no longer has an authority
property.
See example/src/b2cClient.ts, but at the very least, knownAuthorities
should be added to the initial client constructor.
You'll need to mock the PublicClientApplication class for testing purposes. One way to do this:
// yourtestfile.test.ts
import PublicClientApplication from 'react-native-msal';
jest.mock('react-native-msal');
const MockPublicClientApplication = PublicClientApplication as jest.MockedClass<PublicClientApplication>;
it('Creates a mock instance without calling native functions', () => {
const mockPca = new MockPublicClientApplication({ auth: { clientId: '1234' } });
expect(MockPublicClientApplication).toHaveBeenCalledTimes(1);
expect(mockPca).not.toBeNull();
});
FAQs
React Native wrapper for iOS and Android
The npm package react-native-msal receives a total of 728 weekly downloads. As such, react-native-msal popularity was classified as not popular.
We found that react-native-msal demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.