Reputation: 680
Is getAccount() enough to securing a React SPA with Azure AD B2C using MSAL
I am securing a React SPA. The app is used on a private network and will only access endpoints inside the private network. I do not need to make further calls to secure a JWT so I plan to call getAccount() as the user navigates to a page along with simple time check. I cannot find the MSAL documentation for the function getAccount() but it is used in almost all of the MSAL examples. Is getAccount() a safe boolean to use to determine if the user has logged in?
Upvotes: 0
Views: 654
Answers (1)
Reputation: 2746
Assuming getAccount reads the id_token and not some copy of the information somewhere, then yes it should be secure enough to use since the id_token is guaranteed not to be tampered with (jwt spec)
However SPAs should never contain secure data, as they are insecure clients by definition. anyone inside the organization would likely be able to access the internal endpoints given the knowledge, if the endpoints were unsecured. the proper way to do it would be to secure the endpoints using azure ad, expose the apis of those endpoints to the spa app registration, and have the endpoints authenticate using the tokens.
Upvotes: 1
Related Questions
- Azure AD Authentication and Authorization React.js
- Azure AD for React and Spring security using JWT
- MSAL Authentication Based on User Role
- MSAL authentication and authorization from React to Web API
- Role-based Active Directory authentication and authorization in full stack app (React.js + ASP.Net Core)
- Azure AD B2C REST API endpoint for user authentication
- Best way to authorize User against Azure AD Group in SPA (React JS)
- React/.Net Core Authentication with Azure AD MSAL
- msal in React SPA - use access token received from AcquireTokenRedirect
- how to authenticate with azure ad accounts to react.js app with nodejs api?