2

I have a SPA App (VueJS) which uses Azure B2C with MSAL to authenticate users. Authentication works just fine.

But what does not work is, that the user is not kept logged in.

As long as i use the app, everything works just fine. But when i start my app the next day i have to relogin (or just reselect the account I want to use), but I would like to have the same user experience like for example the azure portal. I can revisit the portal after one week and do not have to relogin.

How can i achieve this behavior with MSAL? Is this even possible with this library? The library uses the implicit flow.

Is there another library i can use where this works?

Leniel Maccaferri
  • 100,159
  • 46
  • 371
  • 480
VSDekar
  • 1,741
  • 2
  • 21
  • 36

2 Answers2

2

Before the answer...

I think you'll likely need to expand on what's happening by looking at a network tracing tool. Also, as the other answer said, KMSI will help but likely isn't the only problem here. I recommend looking if the cookie is being set (check below), your app is successfully getting ID, Access tokens, and check this state in subsequent auth requests.

Basics

SSO with MSAL.js is absolutely possible and should occur without much configuration. For some background in browser-based apps implementing authentication, achieving SSO is a factor of cookies/sessions rather than tokens/token management.

How this works

When your single page app redirects the user to the Azure AD B2C sign in page and the end user successfully signs in, Azure AD will set a cookie in the browser of that end user. Then, when your app wants to get an ID token or Access token for the user (assuming the existing one from the initial sign in is expired), MSAL is able to launch a silent i-frame in the background, redirect to the Azure AD site with special query parameters (prompt=none), and utilize the cookie that was set earlier.

Daniel Dobalian
  • 3,129
  • 2
  • 15
  • 28
  • Thank you for your nice and concise answer. If i understand this Github Issue right https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/208 MSAL cannot redirect to the Azure AD site with the `prompt=none` query parameter. But maybe i am wrong? – VSDekar Jan 10 '18 at 06:56
  • @Vergall I replied to that issue just now. I believe there was some confusion, MSAL.js allows you to use `acquireTokenSilent()` to use a valid cookie via hidden iframe. [Checkout this code sample](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2/blob/VisualStudio/JavaScriptSPA/app.js#L60) for the intended pattern of MSAL. Simply, you should always attempt a silent request, and upon failure use one of the interactive parameters. – Daniel Dobalian Jan 10 '18 at 18:57
  • 2
    `acquireTokenSilent()` works as long as you have a valid session. After the accessToken expired (say you closed the browser and retry this after 1 hour) `acquireTokenSilent()` will fail and then, since you can not control the `prompt` parameter with MSAL, you always have to relogin or reselect (yes you are logged in) the account when you use `acquireTokenXY`. This is a very annoying UX. But maybe i am using it the wrong way...? – VSDekar Jan 11 '18 at 07:40
  • 1
    The access token will expire in an hour, but the valid session cookies will not. As `acquireTokenSilent()` is capable of using this to get new access tokens, a new sign in will not be required. [This](https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes#configurable-policy-property-details) doc covers the default session lifetimes for Azure AD. – Daniel Dobalian Jan 13 '18 at 07:14
  • Currently i think `acquireTokenSilent()` is NOT capable of using the valid session cookie. All i get is the same error as here in this new GitHub Issue: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/214 – VSDekar Jan 16 '18 at 08:00
  • @Daniel Dobalian If the cookie is visible when on the https://login.microsoftonline.com under x-ms-cpim-sso:myApp.onmicrosoft.com_0 is there a way to decode its value? – DavidH Jan 16 '18 at 18:31
  • @DavidH, can you post that question on another stackoverflow post and drop the link here? – Daniel Dobalian Jan 17 '18 at 17:25
  • @Daniel Dobalian Here is a link to the new cookie decoding question: https://stackoverflow.com/questions/48328607/how-to-decode-azure-b2c-cookie. – DavidH Jan 18 '18 at 19:06
1

Generally, browser-based applications shouldn't keep users logged in, since activity, such as a password change or reset, at the identity provider can invalidate a persistent session and should force an interactive login.

You should consider the "keep me signed in (KMSI)" capability that has been enabled for custom policies.

Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • That link shows you how to enable a custom policy to add UI for the user, but does not really explain what is happening under the hood. Meaning, for a SPA/PKCE, is there a Refresh Token now issued? And what does "silently sign-in" mean, and do, exactly? – dapug Nov 13 '20 at 18:56