Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
MSAL Auth: Controlling Behaviour
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 39%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
Guy de Winton
1
Reputation point
Hello
I am using the MSAL Javascript library in React. And it has me baffled... It is a very difficult system to control without reaching into the cookies//local/session storage (which the library seems to be designed to prevent developers from being required to do). I would like users to be required to identify themselves for each session. I am happy to users to remain signed in to prevent them having to reenter passwords, etc each time.
This I have deduced (through experiments - documentation is pointedly unhelpful regarding how any of this stuff works under the hood. (understandable, it is only authentication...)):
- The basic account details and sign in status as well as some kind of token (I assume refresh token???) is stored in the cookies.
- The active user is also stored in the cookies.
- The cookies are HttpOnly.
- The basic account details and sign in status as well as some kind of token (I assume access token???) is stored in the session/local storage (depending on cache config).
- MSAL will automatically renew the authentication of the active user from the cache (if available).
- The cache can store a number of signed in users (this is inconsistent and it seems to be only possible to choose another user if MFA not set on the active user).
The active user is automatically logged in with the .login methods. This happens from the cookies (if not also from local/session storage). It is only possible to select another user by first logging the active user out. It is not possible to automatically log the active user out (without a prompt) (even by adding active user to the account parameter of the logout options object). I could remove the cookies but I don't want to lose the sessions of the signed in users. Which cookies should I remove? Is there a better way to do this?
Desired behaviour:
- Each session requires login prompt.
- Prompt requires users to select their account.
- Users may remained signed in and not require their password to be reentered (less important).
Many thanks.
{count} votes
-
Guy de Winton 1 Reputation point
2022-12-02T04:54:34.977+00:00 Apologies.
MSAL.js provides exactly the behaviour I am looking for and the documentation explains it well. ( https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-js-prompt-behavior )
I am sure I'll find answers to the other questions in this post.
:P
-
JamesTran-MSFT 36,371 Reputation points Microsoft Employee2022-12-06T00:48:17.993+00:00 @Guy de Winton
Thank you for your detailed post and I apologize for the delayed response!I'm glad that you found the MSAL.js Prompt behavior documentation which provides the exact behavior you're looking for. I just wanted to check in and see if you had any other questions or if that was your biggest concern when it came to MSAL Auth?
Additional Links:
Azure AD Security tokens
Refresh Tokens
Access TokensIf you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
JamesTran-MSFT 36,371 Reputation points Microsoft Employee
2022-12-09T19:46:41.237+00:00 @GuydeWinton-132
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
Sign in to comment