July 20th, 2020

MSAL.js 2.0 is now generally available with support for authorization code flow

The Microsoft Authentication Library (MSAL) for JavaScript has now released version 2.0 and allows you to use the authorization code flow in production. MSAL.js 2.0 will first make a request to the /authorize endpoint to receive an authorization code protected by Proof Key for Code Exchange (PKCE). This code is sent to the Cross Origin Resource Sharing (CORS) enabled /token endpoint and exchanged for an access token and 24 hour refresh token, which can be used to silently obtain new access tokens.

Why use auth code flow

Safari, along with other popular browsers following suit, has implemented an on-by-default privacy feature: Intelligent Tracking Protection (ITP). ITP blocks cookies from being sent across domains, thus breaking the standard pattern for implementing the implicit flow in single-page apps (SPAs), where silent iframes are used for single sign-on in the browser.

In response to browser cookie limitations, OAuth published a draft recommending that browser based applications now use the authorization code flow. The Microsoft identity platform now enables this through updates to our client library and Secure Token Server.

Get started

To take advantage of the latest recommended authentication flow in your browser-based application, follow the quickstart or tutorial. You will need to update your application to use the latest MSAL version and update your application registration in the Azure Portal.

-Microsoft identity platform team