Is is safe to use msal-browser on production ?

sourav dwivedi 20 Reputation points

I am implementing SSO in React SPA with Microsoft identity & using "@azure/msal-browser": "^3.5.0" & "@azure/msal-react": "^2.0.7" as dependency.

Please refer the below sample app provided by Microsoft:'

**My question, is it safe to use this implementation ? **

I am able to authenticate user with recommended authorization code flow but it seems this has security threat as JWT token returned is visible in network calls

import { useMsal } from "@azure/msal-react";

const { instance } = useMsal()

let loginRequest = {
  scopes: ["", "mail.send"]

const handleMSLLogin = () => {
 instance.acquireTokenPopup({ loginRequest }).then(response => {
  console.log(response) //This response contains JWT token with client information and is visible in network calls
 .catch(e => {
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
516 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,479 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 22,571 Reputation points Microsoft Employee

    Hi @sourav dwivedi ,

    Thanks for reaching out.

    It is generally safe to use the Microsoft Authentication Library (MSAL) for React and the recommended authorization code flow for implementing SSO in your React SPA. However, it is important to ensure that you are following best practices for securing your application and user data.

    Regarding the visibility of the JWT token in network calls, this is expected behavior as the token is used to authenticate the user and authorize access to protected resources. However, you should ensure that your application is using HTTPS to encrypt network traffic and prevent eavesdropping.

    Additionally, you should follow best practices for securely storing and handling the JWT token on the client-side, such as using secure cookies or local storage with appropriate expiration times and encryption.

    Overall, while there are security considerations to keep in mind when implementing SSO with MSAL for React, it is a widely used and trusted library that can help simplify the process of integrating with Microsoft identity services.

    Hope this will help.



    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful