Is is safe to use msal-browser on production ?

sourav dwivedi 20 Reputation points
2023-11-16T17:47:04.45+00:00

I am implementing SSO in React SPA with Microsoft identity & using "@azure/msal-browser": "^3.5.0" & "@azure/msal-react": "^2.0.7" as dependency.

Please refer the below sample app provided by Microsoft:

https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-react-samples'

**My question, is it safe to use this implementation ? **

I am able to authenticate user with recommended authorization code flow but it seems this has security threat as JWT token returned is visible in network calls

import { useMsal } from "@azure/msal-react";

const { instance } = useMsal()

let loginRequest = {
  scopes: ["user.read", "mail.send"]
}

const handleMSLLogin = () => {
 instance.acquireTokenPopup({ loginRequest }).then(response => {
  console.log(response) //This response contains JWT token with client information and is visible in network calls
})
 .catch(e => {
   console.log(e)
  })
 }
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
736 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,831 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 30,191 Reputation points Microsoft Employee
    2023-11-20T06:35:55.4333333+00:00

    Hi @sourav dwivedi ,

    Thanks for reaching out.

    It is generally safe to use the Microsoft Authentication Library (MSAL) for React and the recommended authorization code flow for implementing SSO in your React SPA. However, it is important to ensure that you are following best practices for securing your application and user data.

    Regarding the visibility of the JWT token in network calls, this is expected behavior as the token is used to authenticate the user and authorize access to protected resources. However, you should ensure that your application is using HTTPS to encrypt network traffic and prevent eavesdropping.

    Additionally, you should follow best practices for securely storing and handling the JWT token on the client-side, such as using secure cookies or local storage with appropriate expiration times and encryption.

    Overall, while there are security considerations to keep in mind when implementing SSO with MSAL for React, it is a widely used and trusted library that can help simplify the process of integrating with Microsoft identity services.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.