Edit

Share via


PublicClientApplication class

This class is to be used to acquire tokens for public client applications (desktop, mobile). Public client applications are not trusted to safely store application secrets, and therefore can only request tokens in the name of an user.

Extends

Constructors

PublicClientApplication(Configuration)

Important attributes in the Configuration object for auth are:

  • clientID: the application ID of your application. You can obtain one by registering your application with our Application registration portal.
  • authority: the authority URL for your application. AAD authorities are of the form https://login.microsoftonline.com/\{Enter_the_Tenant_Info_Here\}.
  • If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
  • If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
  • If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
  • To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.

Azure B2C authorities are of the form https://{instance}/{tenant}/{policy}. Each policy is considered its own authority. You will have to set the all of the knownAuthorities at the time of the client application construction.

ADFS authorities are of the form https://{instance}/adfs.

Methods

acquireTokenByDeviceCode(DeviceCodeRequest)

Acquires a token from the authority using OAuth2.0 device code flow. This flow is designed for devices that do not have access to a browser or have input constraints. The authorization server issues a DeviceCode object with a verification code, an end-user code, and the end-user verification URI. The DeviceCode object is provided through a callback, and the end-user should be instructed to use another device to navigate to the verification URI to input credentials. Since the client cannot receive incoming requests, it polls the authorization server repeatedly until the end-user completes input of credentials.

acquireTokenInteractive(InteractiveRequest)

Acquires a token by requesting an Authorization code then exchanging it for a token.

Inherited Methods

acquireTokenByCode(AuthorizationCodeRequest, AuthorizationCodePayload)

Acquires a token by exchanging the Authorization Code received from the first step of OAuth2.0 Authorization Code flow. getAuthCodeUrl(AuthorizationCodeUrlRequest) can be used to create the URL for the first step of OAuth2.0 Authorization Code flow. Ensure that values for redirectUri and scopes in AuthorizationCodeUrlRequest and AuthorizationCodeRequest are the same.

acquireTokenByRefreshToken(RefreshTokenRequest)

Acquires a token by exchanging the refresh token provided for a new set of tokens. This API is provided only for scenarios where you would like to migrate from ADAL to MSAL. Otherwise, it is recommended that you use acquireTokenSilent() for silent scenarios. When using acquireTokenSilent(), MSAL will handle the caching and refreshing of tokens automatically.

acquireTokenByUsernamePassword(UsernamePasswordRequest)

Acquires tokens with password grant by exchanging client applications username and password for credentials The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. More details on this recommendation at https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.4 Microsoft's documentation and recommendations are at: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#usernamepassword

acquireTokenSilent(SilentFlowRequest)

Acquires a token silently when a user specifies the account the token is requested for. This API expects the user to provide an account object and looks into the cache to retrieve the token if present. There is also an optional "forceRefresh" boolean the user can send to bypass the cache for access_token and id_token. In case the refresh_token is expired or not found, an error is thrown and the guidance is for the user to call any interactive token acquisition API (eg: acquireTokenByCode()).

clearCache()

Clear the cache

getAuthCodeUrl(AuthorizationUrlRequest)

Creates the URL of the authorization request, letting the user input credentials and consent to the application. The URL targets the /authorize endpoint of the authority configured in the application object. Once the user inputs their credentials and consents, the authority will send a response to the redirect URI sent in the request and should contain an authorization code, which can then be used to acquire tokens via acquireTokenByCode(AuthorizationCodeRequest).

getLogger()

Returns the logger instance

getTokenCache()

Gets the token cache for the application.

setLogger(Logger)

Replaces the default logger set in configurations with new Logger with new configurations

Constructor Details

PublicClientApplication(Configuration)

Important attributes in the Configuration object for auth are:

  • clientID: the application ID of your application. You can obtain one by registering your application with our Application registration portal.
  • authority: the authority URL for your application. AAD authorities are of the form https://login.microsoftonline.com/\{Enter_the_Tenant_Info_Here\}.
  • If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
  • If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
  • If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
  • To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.

Azure B2C authorities are of the form https://{instance}/{tenant}/{policy}. Each policy is considered its own authority. You will have to set the all of the knownAuthorities at the time of the client application construction.

ADFS authorities are of the form https://{instance}/adfs.

new PublicClientApplication(configuration: Configuration)

Parameters

configuration
Configuration

Method Details

acquireTokenByDeviceCode(DeviceCodeRequest)

Acquires a token from the authority using OAuth2.0 device code flow. This flow is designed for devices that do not have access to a browser or have input constraints. The authorization server issues a DeviceCode object with a verification code, an end-user code, and the end-user verification URI. The DeviceCode object is provided through a callback, and the end-user should be instructed to use another device to navigate to the verification URI to input credentials. Since the client cannot receive incoming requests, it polls the authorization server repeatedly until the end-user completes input of credentials.

function acquireTokenByDeviceCode(request: DeviceCodeRequest): Promise<AuthenticationResult | null>

Parameters

Returns

Promise<AuthenticationResult | null>

acquireTokenInteractive(InteractiveRequest)

Acquires a token by requesting an Authorization code then exchanging it for a token.

function acquireTokenInteractive(request: InteractiveRequest): Promise<AuthenticationResult>

Parameters

Returns

Promise<AuthenticationResult>

Inherited Method Details

acquireTokenByCode(AuthorizationCodeRequest, AuthorizationCodePayload)

Acquires a token by exchanging the Authorization Code received from the first step of OAuth2.0 Authorization Code flow. getAuthCodeUrl(AuthorizationCodeUrlRequest) can be used to create the URL for the first step of OAuth2.0 Authorization Code flow. Ensure that values for redirectUri and scopes in AuthorizationCodeUrlRequest and AuthorizationCodeRequest are the same.

function acquireTokenByCode(request: AuthorizationCodeRequest, authCodePayLoad?: AuthorizationCodePayload): Promise<AuthenticationResult>

Parameters

authCodePayLoad

AuthorizationCodePayload

Returns

Promise<AuthenticationResult>

Inherited From ClientApplication.acquireTokenByCode

acquireTokenByRefreshToken(RefreshTokenRequest)

Acquires a token by exchanging the refresh token provided for a new set of tokens. This API is provided only for scenarios where you would like to migrate from ADAL to MSAL. Otherwise, it is recommended that you use acquireTokenSilent() for silent scenarios. When using acquireTokenSilent(), MSAL will handle the caching and refreshing of tokens automatically.

function acquireTokenByRefreshToken(request: RefreshTokenRequest): Promise<AuthenticationResult | null>

Parameters

Returns

Promise<AuthenticationResult | null>

Inherited From ClientApplication.acquireTokenByRefreshToken

acquireTokenByUsernamePassword(UsernamePasswordRequest)

Acquires tokens with password grant by exchanging client applications username and password for credentials The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. More details on this recommendation at https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.4 Microsoft's documentation and recommendations are at: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#usernamepassword

function acquireTokenByUsernamePassword(request: UsernamePasswordRequest): Promise<AuthenticationResult | null>

Parameters

request
UsernamePasswordRequest

UsenamePasswordRequest

Returns

Promise<AuthenticationResult | null>

Inherited From ClientApplication.acquireTokenByUsernamePassword

acquireTokenSilent(SilentFlowRequest)

Acquires a token silently when a user specifies the account the token is requested for. This API expects the user to provide an account object and looks into the cache to retrieve the token if present. There is also an optional "forceRefresh" boolean the user can send to bypass the cache for access_token and id_token. In case the refresh_token is expired or not found, an error is thrown and the guidance is for the user to call any interactive token acquisition API (eg: acquireTokenByCode()).

function acquireTokenSilent(request: SilentFlowRequest): Promise<AuthenticationResult | null>

Parameters

Returns

Promise<AuthenticationResult | null>

Inherited From ClientApplication.acquireTokenSilent

clearCache()

Clear the cache

function clearCache()

Inherited From ClientApplication.clearCache

getAuthCodeUrl(AuthorizationUrlRequest)

Creates the URL of the authorization request, letting the user input credentials and consent to the application. The URL targets the /authorize endpoint of the authority configured in the application object. Once the user inputs their credentials and consents, the authority will send a response to the redirect URI sent in the request and should contain an authorization code, which can then be used to acquire tokens via acquireTokenByCode(AuthorizationCodeRequest).

function getAuthCodeUrl(request: AuthorizationUrlRequest): Promise<string>

Parameters

Returns

Promise<string>

Inherited From ClientApplication.getAuthCodeUrl

getLogger()

Returns the logger instance

function getLogger(): Logger

Returns

Logger

Inherited From ClientApplication.getLogger

getTokenCache()

Gets the token cache for the application.

function getTokenCache(): TokenCache

Returns

Inherited From ClientApplication.getTokenCache

setLogger(Logger)

Replaces the default logger set in configurations with new Logger with new configurations

function setLogger(logger: Logger)

Parameters

logger

Logger

Logger instance

Inherited From ClientApplication.setLogger