help with MSAL and node.js

Greg Merideth 20 Reputation points

I seem to be running in circles and could use some guidance. We have a Vue based front end site that has our own username/password/mfa solution that, once logged in, sets a series of auth cookies back to the browser that go to each API call on our back end node.js system - we would like to integrate Office authentication only to the front end.

We've created an application ID and can redirect users to the Office login page to provide authentication without the need for users to have two sets of credentials.

However, being an SPA, I'm a little confused on how to secure the back end. Once authenticated, the Vue page gets a ?code=ASk token but how then do we call our back end Node system with any proof this is who they say they are?

That ?code= could be intercepted so what mechanic is there in Node to say, "OK I've got your info let me verify you are who you say you are."

We do not want Office protecting all of our API routes - we just need it to allow the user to login with an Office credential.

Is that even possible?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,598 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee

    @Greg Merideth

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have protected you application front end (sign up/in) with Entra ID (office authentication) but looking for a way to protect the backend API for the app.

    Please do correct me if this is not the ask by responding in the comments section:

    • To secure your backend, you can use the access token that you receive after the user has authenticated with Entra ID

      The access token is a JWT token that contains information about the user and the permissions that they have been granted. You can pass this token to your backend Node system as a bearer token in the Authorization header of your HTTP requests.

    Your backend Node system can then validate the token to ensure that it was issued by Entra ID and that it has not been tampered with.


    You may refer to for implementation.

    • The client application uses the MSAL.js library to sign-in a user and obtain a JWT Access Token from Microsoft Entra ID.

    The Access Token is used as a bearer token to authorize the user to call the protected web API.

    The protected web API responds with the claims in the Access Token.


    If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.


    Akshay Kaushik