Azure AD + MSAL: Changing policies for auth without redirecting?

miko ademagic 1 Reputation point

I'm building a SPA with React + react-aad-msal. One of our signup flows is via email, which sends you a link that contains an id token hint and directs you from our app to the sign up page. Once you've filled out the form and submitted it, we'd like you to be signed in/authenticated when you enter the app. This works well if you stay on our sign up policy.

However, most of our app authenticates the user via the sign in policy. We conditionally check which policy should be passed to the MSAL auth config based on the user's state, i.e. If the user's entered from an invitation link it will use the sign up policy. Once we return from the sign up page, we try to authenticate with the sign in policy and we can't retrieve a valid auth token. This means that our users Sign Up, then return to the app, then have to Sign In again.

Is there a recommended way to change policies in an SPA and be able to authenticate correctly, without being redirected to our policy's auth page? My ideal flow is that the user completes the Sign Up form which logs them in, and is able to use the app until they are logged out, at which point they will have to Sign In.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,677 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,802 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-12-18T22:01:32.83+00:00

    Hello, the signup flow will return an id token and session token making the user effectively logged in. You should not need to call the signin flow again, and even then you should not be asked to re-authenticate thanks to the session token unless you're adding the prompt=login param to the call.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    0 comments No comments