Security News
The Risks of Misguided Research in Supply Chain Security
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
react-native-msal
Advanced tools
https://stashenergy.github.io/react-native-msal/
Requires React Native >=0.61
Stable version:
$ yarn add react-native-msal
Beta version:
$ yarn add react-native-msal@beta
Don't forget to run npx pod-install
after!
PublicClientApplication
classThis class is designed to be a thin wrapper around the native functionality of the Android and iOS MSAL libraries.
import PublicClientApplication, { MSALConfiguration } from 'react-native-msal';
const config: MSALConfiguration = {
auth: {
clientId: 'your-client-id',
// authority: 'default-authority',
},
};
// Option 1: Constructor calls an asynchronous init method for you, but you won't know when it's done and can't catch errors
const pca = new PublicClientApplication(config);
// Option 2 (RECOMMENDED): Skips init, so you can call it yourself and handle errors
const pca = new PublicClientApplication(config, false);
try {
await pca.init();
} catch (error) {
console.error('Problem in configuration/setup:', error);
}
If you don't provide an authority, the common one will be used. This authority will be used as the default for calls to acquireToken
and acquireTokenSilent
.
const params: MSALInteractiveParams = {
scopes: ['scope1', 'scope2'],
};
const result: MSALResult = await pca.acquireToken(params);
You must use this method before any calls to acquireTokenSilent
.
Use the accessToken
from the MSALResult to call your API.
Store the account
from the result for acquiring tokens silently or for removing the account.
const params: MSALSilentParams = {
scopes: ['scope1', 'scope2'],
account: result.account,
// forceRefresh: true,
};
const result = await pca.acquireTokenSilent(params);
You can force the token to refresh with the forceRefresh
option
const accounts: MSALAccount[] = await pca.getAccounts();
Instead of storing the account
from a MSALResult for an acquireTokenSilent
method call, you can filter the MSALAccount[] result for a particular account and use it.
const res: boolean = await pca.removeAccount(result.account);
Alternatively, you can call the signOut
method:
const params: MSALSignoutParams = {
account: result.account,
// signoutFromBrowser: true
};
const res: boolean = await pca.signOut(params);
On Android, this is the same as removeAccount
, but on iOS, if you call it with signoutFromBrowser: true
, it will sign you out of the browser as well.
The PublicClientApplication
class is a bit too bare bones for dealing with a B2C application, and you will need to write a bit of code to get the desired behavior.
To address this issue, the example app that is included in this repository includes a B2CClient
class which contains a lot of the functionality you will need for a B2C app. You can copy this class right into your own React Native app and modify it to your liking. You can see it being used in the example's App.tsx
If you would like to see this class included in the library itself, please let us know.
As mentioned above, the example app demonstrates a B2C implementation
To run the example locally, first clone the repo and run $ yarn bootstrap
to install the depedencies. Then run the following for the desired platform:
iOS: $ yarn example ios
Android: $ yarn example android
Web: $ yarn example web
(the example app is also running live here)
If you want to run the example using your own Azure application information:
msauth://com.example/Xo8WBi6jzSxKDVR4drqm84yr9iU%3D
msauth.com.example://auth
http://localhost:19006
b2cConfig
and b2cScopes
variables in msalConfig.ts
with your details.msal_config.json
Android asset file with your details.See breaking changes in CHANGELOG.md.
FAQs
React Native wrapper for iOS and Android
The npm package react-native-msal receives a total of 2,983 weekly downloads. As such, react-native-msal popularity was classified as popular.
We found that react-native-msal demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.