7

I would like to know if MSAL can be used with Identity providers other than Microsoft products. If yes, how. I checked the MSAL documentetion but it is not straightforward in this question. What I would like to do is to authenticate to Google and OneLogin (and possibly others later) using MSAL, but I don't know how. However, I successfully used MSAL with Azure AD.

MSAL seems to be a good library to use it generally with any IDPs.

KTib
  • 71
  • 2
  • I'm struggling with the documentation too, its really really poor. I'm thinking of sticking with AddMicrosoftAccount for now – Phil Jun 17 '21 at 14:17
  • Did you happen to get a solution to this problem? I would expect an OIDC compliant client to work with any OIDC based IDP. But looking at he source of MSAL (even 4.37), I don't think it is easy to use as a generic client. – Akhilesh Nov 06 '21 at 08:19
  • 1
    @KTib, did you find the answer? I'm trying to figure out if we can use MSAL for both Azure (I know we can) and custom OAUTH2-compliant identity providers and the documentation is still murky. – Alek Davis Sep 27 '22 at 16:19

2 Answers2

2

PROVISO

I believe you're asking about MSAL.JS, as using MSAL.NET with a non-MS OpenID Connect provider is unnecessary, as Microsoft.AspNetCore.Identity provides sufficient support for social logins and vendors of custom OpenID Connect servers provide own extensions (see IdentityServer docs and OpenIdDict samples)

ANSWER

Yes, it's possible to use a non-MS OIDC provider with MSAL.JS since October 2020.

You'd have to specify extra auth properties: protocolMode: 'OIDC' and knownAuthorities: ["your-id-server.com"]. See the official docs on the parameters of @azure/msal-browser.

If you follow the official JavaScript examples then the config would look like:

auth: {
    clientId: "YOUR-CLIENT-ID",
    authority: "https://your-id-server.com",
    knownAuthorities: ["https://your-id-server.com"],
    redirectUri: "https://you-client-app.com",
    protocolMode: "OIDC"
}

HISTORY

Till this PR was merged 16-Oct-2020, MSAL worked with MS end-points exclusively. So the @leastprivilege's answer of 2017 was correct back then.

Thankfully, issue requests 1555 and subsequently 2120 helped to change the tide.

Alex Klaus
  • 8,168
  • 8
  • 71
  • 87
  • 1
    I'm not sure I understand your answer. Can we use MSAL for Client Credentials-based authentication flows against non-Azure identity providers (that support OAUTH2)? Looking for a common solution for a server-to-server app that talks to both Azure and non-Azure systems. – Alek Davis Sep 27 '22 at 16:21
  • The OPs question and my answer are about using MSAL with non-MS OpenID Connect Identity Providers. I think you're using incorrect terminology in your question. There's OAuth 2.0 [Client Credentials Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.4), but "_Client Credentials-based flows_" is not a thing. – Alex Klaus Sep 29 '22 at 09:20
2

According to the reply from the MSAL.NET GitHub discussion, MSAL.NET only supports Azure identity providers, so as of September of 2022, it would not work with third-party providers. The third-party support may be added later, but no timeline at this point.

Alek Davis
  • 10,628
  • 2
  • 41
  • 53