Building a Single Page Application with MSAL.js

Posted on October 26, 2023 by Azure AD Team

Introduction

In today's web development landscape, building secure and interactive Single Page Applications (SPAs) is a common requirement. Integrating with Azure Active Directory (Azure AD) for authentication and authorization provides a robust and scalable solution. This post will guide you through the process of building an SPA using MSAL.js (Microsoft Authentication Library for JavaScript) to seamlessly authenticate users with Azure AD.

What is MSAL.js?

MSAL.js is a JavaScript client-side SDK that enables web applications to authenticate users using Azure AD v2.0 endpoint and acquire tokens for accessing protected web APIs. It supports both the Authorization Code Flow with PKCE and the Implicit Flow (though Authorization Code Flow is recommended for modern applications).

Prerequisites

• An Azure AD tenant.
• An Azure AD application registration.
• Basic understanding of JavaScript, HTML, and CSS.
• A modern JavaScript framework like React, Angular, or Vue.js (optional, but recommended for better structure).

Setting up Your Azure AD Application Registration

Before diving into the code, you need to register your SPA in Azure AD. Follow these steps:

1. Go to the Azure portal.
2. Navigate to Azure Active Directory.
3. Under "Manage", select "App registrations".
4. Click "New registration".
5. Give your application a name (e.g., "MyWebAppSPA").
6. For "Supported account types", select the appropriate option for your scenario (e.g., "Accounts in this organizational directory only" or "Accounts in any organizational directory").
7. Under "Redirect URI", select "Single-page application" from the dropdown and enter the URI where your SPA will be hosted (e.g., http://localhost:3000 for local development).
8. Click "Register".
9. After registration, note down your Application (client) ID and Directory (tenant) ID. You will need these later.
10. Under "Authentication", ensure that "Implicit grant" and "Hybrid flows" are enabled if you are using those flows. For modern flows (Authorization Code Flow), these might not be necessary.
11. Under "API permissions", add permissions to any APIs your SPA needs to access (e.g., Microsoft Graph).

Integrating MSAL.js into Your SPA

You can integrate MSAL.js into your project by installing it via npm or yarn:

npm install @azure/msal-browser

yarn add @azure/msal-browser

MSAL Configuration

Create a configuration object that MSAL.js will use to interact with Azure AD. This typically involves your client ID, authority, and redirect URIs.

const msalConfig = {
    auth: {
        clientId: "YOUR_AZURE_AD_APPLICATION_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_AZURE_AD_TENANT_ID",
        redirectUri: "http://localhost:3000", // Your SPA's redirect URI
    },
    cache: {
        cacheLocation: "sessionStorage", // Or "localStorage"
        storeAuthStateInCookie: false,
    }
};

const msalInstance = new PublicClientApplication(msalConfig);
            

Replace YOUR_AZURE_AD_APPLICATION_CLIENT_ID and YOUR_AZURE_AD_TENANT_ID with the values from your Azure AD app registration. The authority URL can be customized for different clouds (e.g., GCC, China). The redirectUri must match exactly what you configured in Azure AD.

Login and Logout Flows

MSAL.js provides methods to initiate the login and logout processes.

Login

To prompt the user to sign in:

async function login() {
    try {
        await msalInstance.loginRedirect({
            scopes: ["user.read"] // Example scope for Microsoft Graph
        });
    } catch (error) {
        console.error("Login failed:", error);
    }
}
            

The loginRedirect method redirects the user to the Azure AD login page. After successful authentication, Azure AD will redirect the user back to your specified redirectUri with an ID token and/or access token in the URL fragment.

Logout

To sign the user out:

function logout() {
    msalInstance.logoutRedirect({
        postLogoutRedirectUri: "/" // Redirect to the home page after logout
    });
}
            

The logoutRedirect method redirects the user to the Azure AD logout endpoint and then back to your application.

Acquiring Tokens

Once a user is logged in, you can acquire tokens for protected resources.

async function acquireToken(scopes) {
    const accounts = msalInstance.getAllAccounts();
    if (accounts.length === 0) {
        // User is not logged in
        return null;
    }

    const request = {
        scopes: scopes,
        account: accounts[0]
    };

    try {
        const silentResult = await msalInstance.acquireTokenSilent(request);
        return silentResult.accessToken;
    } catch (error) {
        // If silent acquisition fails, prompt user to log in interactively
        console.warn("Silent token acquisition failed. Attempting interactive acquisition.");
        try {
            const interactiveResult = await msalInstance.acquireTokenRedirect(request); // Or acquireTokenPopup
            return interactiveResult.accessToken;
        } catch (interactiveError) {
            console.error("Interactive token acquisition failed:", interactiveError);
            return null;
        }
    }
}
            

acquireTokenSilent attempts to get a token without user interaction. If it fails (e.g., token expired, no session), acquireTokenRedirect (or acquireTokenPopup) can be used to prompt the user interactively.

Putting It All Together (Example Usage)

Here's a conceptual example of how you might use MSAL.js in a React component:

// Assume MSAL configuration and instance are set up elsewhere

function MySecureComponent() {
    const [isAuthenticated, setIsAuthenticated] = React.useState(false);
    const [userInfo, setUserInfo] = React.useState(null);

    React.useEffect(() => {
        const checkAuth = async () => {
            const accounts = msalInstance.getAllAccounts();
            if (accounts.length > 0) {
                setIsAuthenticated(true);
                setUserInfo(accounts[0]);
                // Optionally fetch data using acquired token
                try {
                    const token = await acquireToken(["user.read"]);
                    if (token) {
                        console.log("Access Token:", token);
                        // Use the token to call an API
                    }
                } catch (error) {
                    console.error("Failed to get token for API:", error);
                }
            } else {
                setIsAuthenticated(false);
                setUserInfo(null);
            }
        };
        checkAuth();
    }, []);

    const handleLogin = () => {
        login(); // Call the login function defined earlier
    };

    const handleLogout = () => {
        logout(); // Call the logout function defined earlier
    };

    return (
        

            {isAuthenticated ? (
                

                    
Welcome, {userInfo?.name || userInfo?.username}!
                    Logout
                
            ) : (
                

                    
Please sign in to continue.
                    Login with Azure AD
                
            )}
        
    );
}
            

Conclusion

MSAL.js simplifies the integration of Azure AD authentication into your SPAs, providing a secure and straightforward way to manage user identities and access protected resources. By following these steps and leveraging the capabilities of MSAL.js, you can build robust and secure single-page applications with confidence.

Remember to always consult the official MSAL.js documentation for the latest updates and advanced configurations.