Microsoft single sign on - react-aad-msal library - can't get access token

2
votes

I'm developing a web application with a react frontend and a .NET CORE 3.1 backend and was asked to add Azure AD single sign on capabilities. I'm using the react-aad-msal library (https://www.npmjs.com/package/react-aad-msal). I'm calling MsalAuthProvider.getAccessToken() and get this error:

Can't construct an AccessTokenResponse from a AuthResponse that has a token type of "id_token".

Can anyone help me?

Anyone? Btw. getAccessToken() is actually inside the standard msal library, if that helps.

2
msalmsal.js
I need a token to call my backend .NET Core 3.1 REST methods and authenticate with them. I get an error calling getAccessToken() but not getIdToken(). Can I use the id token instead, to send as a bearer token to the REST api?Jon Th
The Article "Microsoft identity platform ID tokens": '...id_tokens are sent to the client application as part of an OpenID Connect (OIDC) flow. They can be sent along side or instead of an access token, and are used by the client to authenticate the user'. However: "ID Tokens should be used to validate that a user is who they claim to be and get additional useful information about them - it shouldn't be used for authorization in place of an access token" In short: idTokens - about user, accessToken - about his permissionsDenys Rusov

2 Answers

0
votes

I found a solution myself by going into packages.json and lowering the version number on "msal" in "dependencies" like this:

"msal": "~1.3.0",

0
votes

Change the scopes in authProvider.

export const authProvider = new MsalAuthProvider(
  {
    auth: {
      authority: 'https://login.microsoftonline.com/5555555-5555-5555-5555-555555555555',
      clientId: 'AAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA',
      postLogoutRedirectUri: 'http://localhost:3000/signin',
      redirectUri: 'http://localhost:3000/signin',
      validateAuthority: true,
      navigateToLoginRequestUrl: false
    },
    system: {
      logger: new Logger(
        (logLevel, message, containsPii) => {
          console.log("[MSAL]", message);
        },
        {
          level: LogLevel.Verbose,
          piiLoggingEnabled: false
        }
      )
    },
    cache: {
      cacheLocation: "sessionStorage",
      storeAuthStateInCookie: true
    }
  },
  {
    scopes: ["openid", "profile", "user.read"] // <<<-----------|
  },
  {
    loginType: LoginType.Popup,
    tokenRefreshUri: window.location.origin + "/auth.html"
  }
);