问题
I need some input in implementing MSAL library in Angular6+ applications for integrating with AZURE AD.
As i read through the microsoft docs, i came across two flows 'implicit grant flow' and 'auth code flow'. It is been recommended by microsoft team themselves that 'auth code flow' must be implemented as its secure as compared to 'implicit grant flow'.
Im working on a Angular6+ application, and I have to integrate it with AZURE AD. When i checked the MSAL libraries for angular i could only find 1 version "npm i @azure/msal-angular", which i assume implements 'implicit grant flow'. I have to implement 'auth code flow'.
Could anyone please help in this regard.
回答1:
There are 2 confusions here, one is about the security of flows, the other is about whether MSAL supports auth code (w/ PKCE).
- Auth Code Flow vs. Implicit Flow
You should not understand this as "auth code is secure and implicit flow is insecure". These are relative terms; that is, auth core is considered more secure than implicit flow. However, there are use cases where implicit flow is considered just as good (e.g. user session timeout is short). There is some debate on the internet about this.
- Using MSAL.js with Angular
The current MSAL.js 2.x (msal-browser) implements auth code (w/ PKCE) flow. There is no reason for you not to use it with your Angular project. There is also an MSAL-Angular wrapper library, which comes with some extra features and glue code, and that is the one that implements implicit flow (because it is based on MSAL.js 1.x aka msal-core). However, you don't have to use it just because you have an Angular project. Instead, you can create your own authentication service using MSAL.js 2.x directly.
回答2:
I believe that you are right and that the MSAL library does not support Authorization Code Flow (PKCE).
USE AN ALTERNATIVE LIBRARY?
There is no reason why you have to use that library though, and I think the oidc-client library will provide a better solution anyway, since it is standards based and more mature. Your Angular app will then work more easily with other Authorization Servers.
RESOURCES
If interested in this approach, see these resources of mine, the second of which uses OIDC Client / PKCE with Azure AD:
- Initial OIDC Client Code Sample
- Azure AD Code Sample
- Azure AD SPA Security Code
来源:https://stackoverflow.com/questions/63408467/how-to-implement-authorization-code-grant-with-pkce-in-angular6-applications