►
From YouTube: New MSAL for React, Angular-January 2021
Description
In this month's call, James Mantu (Microsoft) shares an overview of the new offerings in MSAL.js for React and Angular developers now in public preview.
For more information, visit https://developer.microsoft.com/en-us/identity
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
A
My
name
is
james
mantu
I'll.
Take
you
through
the
new
library
that
we
have
for
himself
the
new
authentication
libraries
specifically
for
react,
and
for
angular
we'll
start
by
understanding
what
msl
is,
which
is
microsoft,
authentication
libraries
that
we
use
to
gain
access
to
resources
protected
by
our
identity
platform,
and
what
we
have
now
is
a
2.0
version
for
react
and
angular.
So
I'm
going
to
commit
to
an
assumption
that
the
members
on
this
call
have
actually
interacted
with
our
libraries,
the
earlier
ones
for
1.0.
A
So
what
we
had
was
the
implicit
flow
initially
and
we're
moving
towards
the
oauth
code
flow.
Now
I'll
get
a
bit
point
to
that
right
after
this,
but
the
bottom
line
is
oauth
code
is
more
secure
and
with
the
new
security
that
browsers
are
putting
in
place
where
they
are
blocking
third-party
cookies.
The
implicit
flow
really
won't
work,
especially
if
you
look
at
safari
with
its
intelligent
tracking
protection.
A
Work,
that's
what
I
will
do
on
this
screen
that
we
are
on
now
cool.
Yes,
so
if
you
look
at
how
this
screen
works,
the
thing
with
implicit
flow
is
you
you
have
your
application.
You
send
a
request
to
your
authorization
service,
whether
it's
microsoft
or
whatever
it
is.
You
give
your
username
your
password
your
credentials,
and
then
you
get
your
access
token
back
in
a
browser
fragment.
Basically
it's
part
of
your
url.
That
comes
back
with
your
access
token.
A
Now.
The
challenge
with
that
is
your
authorization
service
is
a
third
party.
It's
not
the
same
as
the
domain
you're.
Currently
on.
So
once
you
start
blocking
requests
across
origin
requests
to
domains
which
are
different
from
the
domain.
The
browser
is
currently
sitting
in.
Then
you
have
a
challenge,
because
that
request
cannot
go
silently.
A
In
the
background,
what
we
had
been
doing
were
using
hidden
iframes
to
pass
the
request
to
the
authorization
provider,
but
because
of
blocking
those
requests
they
cannot
happen,
silently
without
actual
user
intervention,
which
provides
a
very
bad
experience,
because
you'd
have
to
keep
on
popping
up
for
the
user.
To
you
know
again
once
the
token
expires.
B
A
Happen
exactly,
but
by
default,
as
google
chrome
safari
as
implement
this
feature,
that
becomes
more
of
a
challenge
for
seeing
us,
because
the
users
really
don't
notice.
They
just
set
up
a
high
security
level.
So
you
start
having
a
challenge.
The
application
or
the
user
is
one
who
has
blocked
calls
on
their
site
because
they
just
set
up
default
settings
in
terms
of
security.
A
Cookies
that
have
been
blocked
so
that
now
has
become
a
challenge
with
that
implicit
grant
flow.
So
what
we're
moving
towards
now
and
the
rest
of
the
industry
is
the
earth
code
ground
flow.
So,
as
you
can
see
in
this
case,
sorry
I'll
just
go
back
one
step.
The
implicit
flow
was
designed.
It
does
not
have
refresh
tokens
that
come
in
whenever
your
token
expires,
you
actually
have
to
make
a
fresh
request
through
the
browser.
D
F
A
But
you'll
notice
here
the
requests
to
get
our
token
have
been
sent
to
our
token
server,
as
opposed
to
you
can
actually
raise
a
request
to
your
token
server
through
an
api
call
or
whatever
it
is,
as
opposed
to
having
to
load
an
iframe
which
you
can
use
to
get
your
access.
So
now,
you're,
actually
calling
an
api.
E
A
A
Like
I
mentioned,
you
get
your
token
back
in
your
url
as
a
fragment
of
the
url,
so
we
start
facing
challenges
of
interception
attacks
and
then
because
it's
in
your
browser,
your
browser
might
actually
just
save
that
history,
so
these
are
just
two
additional
risks
that
we
found.
That
is
forcing
the
whole
industry
to
move
away
from
the
implicit
flow.
B
Going
back
to
and
making
sure
that
we
have
the
closure
on
this,
it
is
the
cookie.
It's
not
the
course,
because
you
are
when
you
are
doing
the
code
flow.
You
are
still
from
google.com
the
example
that
you
are
going
giving.
If
I
was
on
google.com,
I
would
still
be
making
the
call
from
google.com
to
the
microsoft
identity,
server.
B
A
Are
not
shared
exactly
the
third
party
cookies
are
what
other
browsers
have
been
working
on
securing
because
of
tracking.
Thank
you.
Yes,
so
I
wanted
to
take
it
a
step
further
and
look
at
pkce,
which
stands
for
proof
key
for
code
exchange,
and
the
idea
is
that
when
you
want
an
authorization
token,
when
you
want
a
token,
you
must
prove
that
you're,
the
application
that
is
supposed
to
have
the
token
in
our
mobile
apps
and
most
of
our
spas
we've
had
coded
their
credentials.
A
So
what
we
have
here
is
basically
a
proof
of
possession.
What
we're
saying
is
that
when
I
come
and
ask
you
for
an
access
code,
I
want
to
know
who
you
are
and
how
do
we
do
this?
When
you
are
raising
a
request
for
an
house
code,
you
pass
what
we
call
a
code
challenge,
which
means
that
when
you
come
back
and
ask
now
for
access
to
a
particular
resource,
I
need.
A
Are
you
able
to
pass
me
a
code
challenge
and
I
verify
that
you
are
who
you
are
so
they
have
a
verifier
and
a
code
challenge
before
I
answer.
I
think
I'll
use
this
screen
and
then
you
can
ask
all
the
questions
we
have
after
that.
So
here's
the
client
send
the
request
to
be
authorized
and
with
it,
you'll
pass
a
code
challenge.
Basically
it
is
something
that
you
can
use
as
a
sha-256
or
whatever
to
verify
yourself.
A
The
authorization
server
then
notes
that
code
challenge
and
then
issues
you
the
authorization
code
and
then
you
come
and
ask
for
an
access
token.
When
you
ask
for
your
access
token,
you
have
to
send
me
the
original
code
challenge
which
you
sent.
So
I
know
that
the
person
asking
for
this
access
token
is
someone
who
have
already
authorized,
as
opposed
to
someone
who
may
have
actually
intercepted
my
oauth
code
and
then
it's
time
to
use
that
to
get
authorization
to
my
resources.
A
The
oauth
code,
you
can
define
how
long
you
want
it
to
be
alive,
but
mostly
because
the
oauth
code
flow
has
refreshed
tokens.
The
authorization
codes
will
be
valid
for
a
very
short
while
a
minute
five
minutes,
and
then
your
refresh
token
will
have
validities
of
maybe
24
hours.
So
you
have
to
keep
reauthorizing.
D
D
A
Thank
you.
Yes,
because
the
authorization
code
has
gone
with
a
code
challenge.
So
even
if
I
got
that
authorization
code,
I
will
not
know
what
code
challenge
the
application
has
sent
and
the
application
will
have
its
own
logic
of
generating
its
code
challenge.
So
this
is
not
a
one-time
thing
like
you'd
have
username
and
password
saved
in
your
application
to
use
across
all
your
installations.
C
A
C
A
So
I
know
you
can
put
in
the
autofluid
pixel
and,
at
the
same
time,
have
some
support
for
implicit
flow.
Although
we
are
currently
deprecating
our
support
for
the
implicit
flow,
if
that's
what
your
product
is
using,
it
will
continue
to
be
supported,
but
we're
trying
to
discourage
new
applications
coming
in
with
the
implicit
flow
and
we
are
backward
compatible.
So
you
can
actually
support
multiple
authorization
flows
got
it
yes,
so
that
was
just
basically
a
summary
of
what
we
are
trying
to
do
and
what
we
have
achieved.
A
A
Is
react
and
angular
we're
using
node.js,
and
I
personally
am
a
fan
of
visual
studio
code
or
whatever
editor
you
want
to
use.
So
you
just
sign
into
the
portal
you
can
choose
which
tenant
you're
using.
If
you
have
multiple
tenants,
you
just
select
app
registrations,
put
in
a
name
select
the
accounts
you
want
to
support.
I
think
most
people
go
for
in
any
organization
directly
and
personal
accounts.
Then
you
register
and
that's
it.
A
Then
you've
got
a
quick
start
page
where
you
can
download
your
your
application
and
actually
get
up
and
running
immediately
and
I'll.
Take
five
minutes
to
show
you
exactly
what
I
mean
when
I
say
you
can
download
your
first
application.
Your
first
react
application
actually
log
in
and
you're
able
to
access
microsoft
graph.
A
So
I
was
just
saying
that
it's
pretty
simple.
If
you
work
with
react
all
you
have
to
do.
Is
we
made
it
so
simple
that
we
tell
you
where
to
put
your
client
id
where
to
put
your
authority
where
to
put
your
redirect
uri,
and
this
evaluates
that
in
the
quick
starts,
we've
shared
with
everybody,
so
what
you
arise
to
use
and
all
that
there's
very
little
plumbing
to
get
up
and
running
with
your
first
product
and
utilize
the
identity
service?
A
This
is
just
for
react.
This
is
for
angular
and
then
once
it's
configured
you
just
install
get
up
and
running.
If
you
don't
use
the
quick
configuration
it's
our
libraries,
you
can
just
get
them
directly
from
npm
through
npm
install,
so
I'll
actually
show
you
one
application
that
I
have
which
actually
follow
these
steps,
and
then
I
guess,
after
that,
you'll
have
more
more
questions
to
ask
just
to
show
you
what
I
mean
when
it's
that
it's
pretty
easy
to
get
started
yeah.
A
A
A
A
Because
I'm
already
signing
on
this
is
my
personal
pc.
It
is
already
able
to
sign
me
in
and
I
will
not
request
my
profile
information.
But
yes,
if
you
do
this,
you
can
actually
get
information.
You
can
use
graph
to
get
as
much
information
as
your
authorized
to
access
and
it's
actually
really
simple
to
get
started.
A
A
So
I
there
wasn't
much
else
we
hear
if
there
are
any
more
questions,
but
it's
really
easy
to
get
up
and
running
with
your
fast
react
for
your
first
angular
application.
It'll.
Take
you
five
ten
minutes
maximum
we've
hidden
all
the
plumbing
we've
made
it
so
that
all
the
heavy
lifting
is
sitting
on
our
sides
from
your
side.
It's
just
a
few
configurations
that
you're
up
and
running.
H
Thank
you
james.
This
is
jen,
quick
question
now
I
know.
Typically,
when
m
cell
supports
azure
ad,
it's
very
streamlined.
Is
there
any
difference
when
we're
dealing
azure,
adb
c,
you
know
in
this
case
you
know.
Typically,
when
we
go
get
onto
github,
you
see,
you
know
it's
smooth
sailing
with
the
azure
id
and
the
second
we
go
to
azure
adb,
to
see,
there's
always
some
quarks.
We
have
to
work
around
with
it.
So
for
this
particular
one
I'm
looking
at
for
react.
D
I
Yeah
it,
it
is
fully
supported.
Some
of
the
same
quirks
that
you
might
run
into
with
browser
will
carry
over
into
react
just
due
to
the
fact
that
the
services
are
implemented
slightly
differently.
But
if
you
do
run
into
any
issues,
we
encourage
you
to
open
an
issue
on
our
github
page.
We
try
to
resolve
those
relatively
quickly.
A
J
I
K
A
B
A
D
A
D
So
some
of
the
other
reasons
there
are
some
you
know:
azure
id
follow
zoe
dc,
for
example,
but
there
are
some
nuances
with
with
azure
id
that
our
library
for
one
is
aware
of
and
helps
mitigate.
I
would
say
the
other
reason
is
that
there
are
some
features
that
we
are
shipping
in
azure
id,
that
the
amsoil
libraries
will
support,
that
you
probably
won't
get
from
a
more
generic
library.
So,
for
example,
say
we
support
proof
of
possession
for
access
tokens.
D
I'm
sure
familiar
proof
of
possession
cryptographically
binds
access
tokens
to
the
browser
that
requested
them,
so
that
helps
mitigate,
for
example,
token
replay,
if
those
if
those
tokens
are
excellent
from
the
browser.
So
that's
like
a
really
key
security
feature,
for
example,
that
our
first
party
microsoft
products
are
very
much
one
and
we're
doing
additional
we're
looking
at
a
proof
of
possession
for
refresh
tokens
and
we're
looking
at
other
potential
security
features
and
enhancements,
and
you
are
probably
not
going
to
get
those
from
a
third-party
library
such
as
the
one
that
you
mentioned.
B
B
Yeah,
I
I
think
to
begin
with
it
shouldn't
be
even
available
in
the
browser
in
the
user
context
right
in
the
user
context.
Ig
token
is
the
one
that
user
needs
access.
Token
is
more
for
system
to
system
like
in
a
client,
credential
flow,
it
makes
sense,
but
you
know
auth
code
flow
and
pixy
flow,
that's
user
to
system.
D
Yeah
so
access
this
comes
down
the
difference
between
authentication
and
authorization,
so
your
id
token
represents
the
user,
as
logged
in
right
tells
you
metadata
about
the
user
and
about
their
session
potentially,
whereas
an
access.
Token
says
that
as
the
artifact
that
the
user
has
granted
you
authorization
to
acquire
data
on
their
behalf
from
like
a
backend
service,
so
microsoft
graph
or
your
own
custom,
backend
api
and
access
tokens
can't
be
shared
between
resources.
So
an
access
token
for
microsoft.
D
E
Thanks
jason
and
thanks
mani
for
bringing
this
up,
so
our
security
team
has
found
one
flow
with
this
authorization
code
grant
flow.
We
we
have
been
using
this
in
our
organization
and
what
they
are
telling
is
the
user
is
logged
in
the
single
page
application
and
they
have
the
token
the
tokens
are
available
in
the
browser
cache
and
they
can
capture
this
token
if
they
are
putting
any
proxy
like
a
bob
tool
or
a.
G
E
And
even
after
the
user
logout,
they
can
replay
this
token
to
the
end
apa
and
get
the
response
within
that
one
hour
of
time
yep.
So
what
the
issue
that
security
team
is
bringing
is,
if
some
malicious
actor
getting
the
position
of
your
machine
or
your
browser,
they
can
grab
this
token
and
they
can
replay
this
even
after
the
user
logs
out
from
the
application
yep.
D
Yeah,
so
it's
correct
that
we
don't
invalidate
access
tokens,
so
they
are
valid
for
an
hour
after
they
were
issued,
and
that
is
a
known
trade-off
that
we
have
made
as
far
as
if
those
tokens
are
extra
traded.
Somehow,
as
you
described
so,
if
they're
intercepted
through
man
in
the
middle
or
they're,
you
know
cross-site
scripting,
for
example.
Yes,
they
can
be
replay
from
another
machine
for
the
duration
of
their
lifetime.
D
So
proof
of
possession,
for
example,
is
one
mitigation
that
we
have
for
that,
so
proof
of
possession
like
I
mentioned
it,
cryptographically
binds
the
access
token
to
the
browser
that
requested
it.
So
it
can't
be
replayed
if
it's
exfiltrated,
it
doesn't
address
the
the
expiration
thing
and
again,
that's
just
a
known
trade-off.
There's
lots
of
complexity
that
comes
with
invalidating
access
that
we've
decided
not
to
make.
So
I
would
look
at
proof
of
possession.
D
That
is
a
feature
that
has
supported
msl
browser
that
if
you
are
concerned
about
your
access
tokens
being
replayed
by
a
bad
actor
outside
the
context
of
the
browser
that
requested
them.
That
is
one
of
the
mitigations
that
we
provide
for
that
and
we're
always
looking
at
increasing
the
security
of
our
products.
All
up.
E
B
They
probably
don't
have
the
context
of
the
browser,
so
in
general
I
could
take
an
access
token
and
from
the
back
end
I
would
make
api
call
to
get
other
data,
or
are
you
saying
that
this
access
token
actually
has
something
related
to
the
browser?
It
can
never
be
called
outside
of
the
browser
correct?
B
D
D
But
yes,
in
this
case,
if
you
have
a
proof
of
possession
protected,
if
you've
enabled
proof
of
possession
in
your
in
your
middleware
in
this
case,
where
you're
validating
your
tokens
and
then
you
opt
in
to
proof
of
possession
for
the
access
token
that
msol
will
acquire
for
you.
If
someone
were
to
steal
those
access
tokens
from
your
local
storage
and
then
try
to
use
them,
they
would
not
work.
D
E
E
Is
the
user
got
it
from
so
and
so
browser
and
when
he
plays
that
access
token
to
the
apa
in
the
api
also,
they
have
to
go
back
to
azure,
ready
and
check
that
okay,
this
access
token
is
came
from
so
and
so,
and
is
it
com
this
request,
api
request
is
also
coming
from
the
same
ip.
If
that
matches.
Yes,
access
token
is
valid,
if
not.
D
D
D
D
D
F
E
On
the
tokens
so
in
the
sample
they
have
mentioned
about
getting
a
token
for
user
dot
rate
say,
for
example,
if
I
have
multiple
tokens
accusations
like
sharepoint
token
graph
token
crm
token,
most
of
our
application
will
have
multiple
dependencies
like
graph,
maybe
for
getting
the
signed
in
user
details
or
and
sharepoint
api
to
get
the
documentation
or
the
content
from
the
sharepoint
or
maybe
for
crm.
So
if,
if
you
have
multiple
apas
or
dependencies
so.
G
E
G
D
Okay,
yeah,
I
understand
thank
you.
So
our
general
guidance
is
that
so
you
have,
you
know,
there's
two
operations
right,
there's
logging
in
and
then
there's
acquiring
tokens.
So
when
you
log
in
you
can
provide
the
scopes
that
you
know
that
you're
good,
that
you
want
your
user
to
consent
to
upfront
right.
So
if
you
have
six
scopes
across
three
different
resources,
you
could
provide
those
upfront
and
we
will
prompt
the
user
to
consent
to
those
scopes
if
they
haven't
consented
already.
D
That
being
said,
we
only
issue
one
access
token
at
a
time,
and
access
tokens
are
only
valid
for
one
resource.
So
if
you
have
access
so,
if
you
need
an
access
token
for
sharepoint,
you
need
an
extra
soaking
for
your
backend
api.
You
have
access
token
for
for
graph,
for
example
you
so
you
can.
You
can
provide
consent
for
them
up
front
and
will
issue
exactly
what
it
is.
But
basically
you
can
provide
all
of
those
scopes
up
front
and
you're
in
your
login
calls.
D
So
the
first
call
to
the
authorized
endpoint
and
then
I
think,
we'll
issue
you
one
an
access
token
for
one
of
those
and
then
downstream
in
your
code.
Basically,
when
you
need
you
know,
kind
of
the
general
guidance
is
right
before
you
need
an
access
token
for
a
given
set
of
scopes
for
a
resource.
You
call
acquire
token
silent
and
you
provide
just
the
scopes
for
that
resource
and
msol
will
acquire
an
access
token
for
that
resource.
For
those
scopes.
D
Does
that
make
sense,
so
you
can
provide
them
all
up
front
in
in
the
interest
of
having
the
user
can
send,
but
then,
when
you
downstream,
you
can
provide
those
just
on
a
resource
or
resource
basis
for
each
respective
api.
Each
respective
api
calls
and
themselves
will
acquire
an
access
token.
Just
for
that
resource.
For
those
scopes.
A
A
E
D
C
D
Because
yeah
the
same
site,
we
we've
addressed
the.
So
what?
Basically?
What
browsers
did
was
they
made
the
they
first
rolled
out
same
restrictions
around
the
same
site
flag
on
cookies?
That
was
done
a
year
ago,
maybe
a
little
more.
We
we
did
all
the
work
needed
for
that,
and
then
that
was
like
the
first
part
of
like
the
third
party
cookie
changes
that
browsers
were
rolling
out.
D
D
Yeah
so
safari
safari
with
intelligent
tracking
protection
enabled
they
were
they
were.
That
was
really
the
first
browser
and
then,
if
you
do
chrome
incognito
like
if
you
open
income,
you
don't
chrome,
really
any
of
the
chromium
browsers.
So
like
the
the
new,
the
microsoft
edge
and
incognito
you'll,
see
when
you
open
the
ink,
you
know
there's
a
little
toggle
at
the
bottom
of
the
new
tab
screen
that
says
whether
or
not
third-party
cookies
are
blocked
that
is
on
by
default
now.
So
that
is
another
scenario
where
users
would
encounter
that.
D
Yeah
so
there's
there's
a
there's
like
it
yeah
there's
a
github
open
issue
open
about
this.
We
can't
prevent
the.
I
don't
believe
we
can
prevent
the
the
pop-up
from
going
into
the
background,
but
we're
looking
at
ways
that
we
can
at
least
improve
that
experience.
For
example,
if
the
user
thinks
that
the
pop-up
is
closed,
then
they
click
your
login
button
again
that
we
maybe
focus
the
existing
pop-up
we're
looking
at
improvements
we
can
make
to
that
because
we're
aware
of
that
issue
so
keep
an
eye
on
our
github
and
npm
for
releases.
G
Us
close
out,
yes,
thank
you
james
and
thank
you
jason
and
everybody
else
who
participated
today.
I
love
all
the
questions
and
the
interaction,
so
this
is
really
great,
we'll
post
a
copy
of
the
powerpoint
that
jay
should
show
today
in
the
description
of
the
video
that
we're
going
to
be
posting
on
youtube.