Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

acquiretokenredirect best practices guidance

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.21.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.4.0

Public or Confidential Client?

Public

Description

Hi! I am just looking for guidance on best practice with acquireTokenRedirect.

We are using msal-react, but we have reusable functions we use to acquire tokens with msal-browser (not in any react component where we pass in the instance and context).

We have several parallel requests which run, and we are not sure what the best practice is for acquiring tokens by redirect.

It seems this is called several times on each failed acquireTokenSilent request when tokens have expired, causing a redirect loop of about 4 loops until the page loads. I’m wondering what guidance would be to fix our issue and improve how we are using msal.

Thanks so much!

MSAL Configuration

export const msalConfig = {
    auth: {
        clientId: config.auth.clientId,
        authority: 'https://login.microsoftonline.com/consumers',
        navigateToLoginRequestUrl: false,
        postLogoutRedirectUri: `${config.auth.redirectUrl || config.sasUrl}`,
        redirectUri: getRedirectUri()
    },
    cache: {
        cacheLocation: BrowserCacheLocation.LocalStorage,
    },
};

Relevant Code Snippets

get token function: const getToken = async (msalContext: IMsalContext, scopes: string[], telemetryService: ITelemetryService): Promise<AuthenticationResult> => {
    const msalInstance = msalContext.instance;
    const accounts = msalInstance.getAllAccounts();
    if (accounts.length > 0) {
        const silentRequest = {
            scopes,
            account: msalInstance.getActiveAccount() || accounts[0]
        };
        const redirectRequest = {
            scopes,
        };
        try {
            return await msalInstance.acquireTokenSilent(silentRequest);
        }catch (error) {
            if (error instanceof (InteractionRequiredAuthError)){
                try {
                    // fallback to interaction when silent call fails
                    if (msalContext.inProgress === InteractionStatus.None){
                        await msalInstance.acquireTokenRedirect(redirectRequest);
                    }
                }catch (e) {
                    telemetryService.trackError(e, TelemetryEventName.GetMsalTokenRedirect);
                    return null;
                }
            }
            telemetryService.trackError(error, TelemetryEventName.GetMsalTokenSilent);
            return null;
        }
    }
};




where we fetch token in axios interceptor (abstracted some away from here  as it's not really needed)

  constructor(msalContext: IMsalContext, telemetryService: ITelemetryService) {
        this.axiosInstance = axios.create();
        this.telemetryService = telemetryService;
        this.axiosInstance.interceptors.request.use(
            (config: ExtendedAxiosRequestConfig) => {
                config.requestId = createGuid();
                config.startTimeMs = performance.now();
                return new Promise((resolve, reject) => {
                    getToken(msalContext, telemetryService).then(tokenResult => {
                        if (!tokenResult) {
                            throw new AxiosError("No token");
                        }
                        const { accessToken } = tokenResult;
                        config.headers['Authorization'] = `Bearer ${accessToken}`;
                        config.headers['Content-Type'] = 'application/json';
                        config.headers['ms-cv'] = telemetryService?.getCorrelationVector(true);
                        if (config.telemetryEventName) {
                            config.headers['x-ms-operation-name'] = config.telemetryEventName;
                        }
                        resolve(config);
                    }, reject);
                });
            }
        );

Identity Provider

Azure AD / MSA

Source

Internal (Microsoft)

Issue Analytics

State:
Created a year ago
Comments:10 (5 by maintainers)

Top GitHub Comments

2reactions

sameeragcommented, Oct 31, 2022

@derisen I marked a work item for the actual support of concurrency (which we do not have a design today and needs work). However, in the short term we should document this to clarify that we do not support this and what is the best practice for cases developers may run into them.

2reactions

sameeragcommented, Oct 27, 2022

We will work on docs here, cc @derisen can we track this?

Top Results From Across the Web

Azure Communication Services - Credentials best practices

This article provides best practices for managing User Access Tokens in Azure Communication Services SDKs. Following this guidance will help ...

reactjs - msal in React SPA - use access token received from ...

When I use acquireTokenRedirect, what I see is: 1. The user is redirected to login.microsoftonline.com. 2. A 302 response is returned with ...

msal - UNPKG

It is best practice to only request scopes you need when you need them, ... You can use acquireTokenRedirect or acquireTokenPopup to initiate...

Building Single Page Application with React, MSAL.js and PnPjs

This class is responsible for access token generation. It derives from PnPjs BearerTokenFetchClient class and adds methods to request access ...

PublicClientApplication | microsoft-authentication-libraries-for-js

acquireTokenRedirect (request: RedirectRequest): Promise<void> ... API is provided for convenience but getAccountById should be used for best reliability ...