Angular interceptor should support APIs with optional authentication

Core Library

MSAL.js v2 (@azure/msal-browser)

Wrapper Library

MSAL Angular (@azure/msal-angular)

Description

There should be a way in the angular interceptor to specify an API where authentication is optional (i.e. it should send the access token if it has a valid one, or if it can silent acquire one, but omit it otherwise). This is useful for APIs that do not strictly require authentication, but provide additional functionality if authenticated. It might return only public data to an anonymous user, but include personalized data for a signed in user, or signed in users may have less restrictive rate limiting, etc.

Furthermore, the need for authentication can vary for the same URL by http method, and right now there is no way to support that without a full.

For the first scenario, this feels like it should be a relatively easy feature to add, since it is simply skipping the this.acquireTokenInteractively calls. Even for the second scenario, sending the access token (when available) when not actually required is usually harmless, so both scenarios could be supported in this same manner.

The only tricky part seems to me to be the ability to specify this option. I would simply update the ProtectedResourceScopes type to make httpMethod optional (with semantics that not supplied means any method), and add a new boolean to trigger the new behavior. The reason I would put it on the scopes level rather than the resource level is because that is where the httpMethod is specified, and this should allow (but not require) distinguishing by method.

Thoughts?

Source

External (Customer)