Reputation: 549
How do I listen for MSAL-Angular token reauthentiation requests?
So I've got MSAL-ANGULAR piece working correctly in my angular project. The problem lies when I've left the session open for a certain period of time and MSAL invokes re-authentication request to Azure AD when the token presumably expires. This automatically redirects to Azure AD for verification and will fail if the initiating path is not a registered path in Azure (e.g. localhost:1000/login will succeed but localhost:1000/orders will not).
Ideally I shouldn't have to specify every path permutation in Azure AD so I had the thought that I would intercept the authentication redirect, redirect to the default URL and then initiate the authentication process. Here was my original thinking:
I would think that the following code in the authentication layer would have a hook in place for this i.e.
import { MsalService, BroadcastService } from '@azure/msal-angular';
broadcast.subscribe("msal:loginSuccess",
() => {
...
}
this.broadcast.subscribe("msal:loginFailure",
() => {
...
});
but it doesn't look it hits that piece but, but rather, hooks in within app.routing:
import { MsalGuard } from "@azure/msal-angular";
const appRoutes: Routes = [
{ path: 'login', component: LoginComponent, canActivate: [MsalGuard] },
{ path: 'orders', component: OrdersComponent, canActivate: [MsalGuard] },
];
Any thoughts would be appreciated.
Upvotes: 2
Views: 2187
Answers (2)
Reputation: 592
I know you already fixed your problem, but your question was never properly answered. After a long time of research I finally found a proper way to listen for MSAL-Angular token reauthentiation requests.
Below subscription listens to every HTTP request and emits events e.g. 'msal:acquireTokenStart' when your AccessToken is correct and not expired.
In case your AccessToken is incorrect and did expire there is another event which uses the RefreshToken to get a new AccessToken from the Network: 'msal:acquireTokenFromNetworkStart'.
If both tokens are wrong or deleted, 'msal:acquireTokenFailure' gets emited. These emits can be used to, e.g. redirect or logout the user.
this.msalBroadcastService.msalSubject$.subscribe({
next: (msalSubject) => {
if (msalSubject.eventType === 'msal:acquireTokenFailure') {
// Do something when acquiring of the token fails
}
}
},
});
Above code is inside ngOnInit. Don't forget to import the MsalBroadcastService and inject it into the constructor.
Upvotes: 0
Reputation: 549
Well, it turns out you can hack the system - all you need to do is use a wildcard within Azure Active Directory's manifest.
i.e.
1/ Log into https://portal.azure.com
2/ Go to Azure Active Directory
3/ Go to App Registrations
4/ Select your app
5/ Open the manifest and set the following:
"replyUrlsWithType": [
{
"url": "https://localhost:1000/*",
"type": "Web"
}
],
6/ Save ... and voila. This forces Azure AD to accept all URI's from that domain
NOTE: Azure portal actively blocks wildcard matches ... but you can bypass it via the manifest ;)
Upvotes: 2
Related Questions
- Api call after login msal authentication
- How to configure msal-angular interceptor to send an access token (v2) to own domain (self)
- Get Authorization token to call API
- Not able to get tokens / msal objects in angularJS after successful login for AzureAD
- Authenticate to Azure AD from Angular 9 Application
- msal-angular: how to ask user to login again for important operations on your app?
- msal.js angular 6 SPA callback and errors handling
- How do I configure MSAL in Angular?
- Authentification to Azure Ad in Angular using Msal
- Angular 4/Angular 2 Azure Active Directory Authentication - Fetch token