Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Obtain autorization code from `loginPopup` instead of token(s)

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Wrapper Library

MSAL React (@azure/msal-react)

Public or Confidential Client?

Public

Description

loginPopup sends a request to /oauth2/token to obtain access_token and id_token immediately after obtaining authorization_code in its implementation. But I want to obtain authorization_code directly from my public client and redeem it for accesss_token in our server.

Source

External (Customer)

Issue Analytics

State:
Created a year ago
Comments:18 (5 by maintainers)

Top GitHub Comments

1reaction

derisencommented, Nov 2, 2022

@okapies the problem is that you are requesting below an access token for Microsoft Graph, NOT for your own web API.

const loginRequest: PopupRequest = { scopes: [‘User.Read’, ‘openid’, ‘profile’, ‘email’], prompt: ‘select_account’, };

const handleLogin = (instance: PublicClientApplication) => { instance.loginPopup(loginRequest).then((value: AuthenticationResult) => { fetch( ‘https://api.example.com/login/microsoft’, // our login API { method: ‘POST’, body: { access_token: value.accessToken }, }, ).then((data: any) => { … }); }); }

Instead, the scope should be your web API’s APP ID URI followed by the scope name you defined in your application.

const loginRequest: PopupRequest = { scopes: [‘api://my-web-api-client-id/my_scope’], prompt: ‘select_account’, };

If you look at the app registration steps in the sample I’ve shared, it instructs you to create a custom scope for your API, and then request permissions to it in your SPA.

So to summarize the misunderstanding here, every access token is meant for a certain resource/API and cannot be used for accessing other resources/APIs. You tell MSAL what resource/API you need an access token for via the scopes property in the request object that you pass to acquireToken* method.

0reactions

okapiescommented, Nov 8, 2022

@derisen Thanks for your kind advice. I’ll look into the on-behalf-of flow!

Top Results From Across the Web

ReAuthentication using PopUP(Auth Code Grant Flow)

Ideally in Authorization-Code Grant flow, you first call the /authorize endpoint to get authorization code and then you use that authorization ...

PublicClientApplication | microsoft-authentication-libraries-for-js

This function redeems an authorization code (passed as code) from the eSTS token endpoint. This authorization code should be acquired server-side using a ......

Using the Authorization Code Flow with PKCE in Azure AD ...

In this flow, access tokens were returned directly to the browser without ... HTTP GET https://AzureADURL/authorize &response_type=code ...

How to get an access token with Auth Code Grant | DocuSign

Note: Instead of generating the access token manually, you can also implement Authorization Code Grant authentication by: Using methods from one of the...

Auth0 Single Page App SDK

Auth0 SDK for single page applications using Authorization Code Grant Flow with ... Instead, you can opt-in to store tokens in local storage...