Protect Angular SPA with Azure Ad authentication

siva_dev 1 Reputation point
2020-04-02T07:26:37.757+00:00

Hi,

I need to protect my Angular SAP and Node JS API with Azure AD Authentication. which flow should i use?

Auth Code Flow or Implicit Flow?

Where can i find the sample apps ot tutorials that show steps to implement the suitable flow in both Angular SPA anf Node JS API?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,610 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,090 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. soumi-MSFT 11,696 Reputation points Microsoft Employee
    2020-04-02T07:31:24.96+00:00

    @siva_dev , Ideally for SPA applications, Implicit flow is what is preferred the most. For samples, you can check the following url:
    https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code#single-page-applications

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    2 people found this answer helpful.

  2. soumi-MSFT 11,696 Reputation points Microsoft Employee
    2020-06-11T16:02:30.093+00:00

    @RanjithPalanisamy-3910, Thank you for reaching out and I apologize for the late reply on this as somehow I had missed out on this new question on this thread. One thing i would like to state i.e since implicit flow is not a secured flow and it always carries its own set of risks, its advisable to stay as away from using it. But till today, for Javascript applications (Single-Page applications), we recommended using MSAL.js library, and MSAL.js lacked the capability of implementing any other flows of OAuth for SPAs. then came MSAL v2.0 and now the MSAL v2.0 (preview), which finally brought the support of using Auth-Code Grant Flow for your SPAs and personally I would recommend if a new app being developed, its better you go ahead with the new MSAL v2.0 (preview) as that would just get better.

    As of now I have not heard of any complaints regarding the MSAL v2.0(preview) library, and you can surely give it a try. Auth-Code Grant flow with PKCE is definitely a more secure alternative to implicit grant flow. For now, I dont have a time frame as of when there is a plan to get this into GA, but can surely get you the answer as soon as I can get my hands on it.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments No comments