0

Overview - I am working on a solution having UI built in angular and backend in django. I want to implement authentication and authorization using Azure AD. At UI, I have made use of @azure/msal-angular, which acquires access tokens directly from azure each time a backend enpoint is hit.

Problem 1 - Access tokens are acquired in the background and never expire unless user logs out. Is there a way to log user out after certain period of time/inactivity?

Problem 2 - @azure/msal-angular uses implicit grant flow which receives user tokens in url fragments, which seems not secure. Is auth code a better way to go about it?

arpit a
  • 3
  • 2

1 Answers1

0

Access tokens are acquired in the background and never expire unless user logs out. Is there a way to log user out after certain period of time/inactivity?

You could change TokenLifetimePolicy of the token lifetime defaults. For the full documentation, see here. Follow the answer to create and set the Token Lifetime Policy.

@azure/msal-angular uses implicit grant flow which receives user tokens in url fragments, which seems not secure. Is auth code a better way to go about it?

Yes, auth code flow is better. As the doc shows, "There are a few important security considerations to take into account when using the implicit flow specifically around client and user impersonation". Auth code flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint, as well as refresh tokens to get additional access_tokens and ID tokens for the signed-in user. You could use auth code flow with PKCE, this is the sample.

unknown
  • 6,778
  • 1
  • 5
  • 14