Do the MSAL Libraries verify tokens?

Question

I come from a security IAM background and work with developers in setting up SSO(OIDC) and authorization to API's via OAuth 2.0. I am trying to write up some guidance on how our developers should be setting things up on their side to receive a token and how to verify it before letting the user into their application. We are going to be recommending the use of the MSAL's when ever possible. In reference to OIDC , with my lack of programming knowledge I am trying to figure out if the MSAL's are a one stop shop for acquiring an id token, verifying the token, and allowing the user into the application? Or if the MSAL's are purely for acquiring a token, and refreshing the token.

Answer 1

Hello @Alex and thanks for reaching out. MSAL is intended for acquiring tokens. For token signature its recommended to use third party libraries such as jsonwebtoken. For more information on how to validate tokes take a look at Validating an ID token and Validate access tokens.

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.