The Microsoft Authentication Library (MSAL) for JavaScript has now released version 2.0 and allows you to use the authorization code flow in production. MSAL.js 2.0 will first make a request to the /authorize endpoint to receive an authorization code protected by Proof Key for Code Exchange (PKCE). This code is sent to the Cross Origin Resource Sharing (CORS) enabled /token endpoint and exchanged for an access token and 24 hour refresh token, which can be used to silently obtain new access tokens.
Why use auth code flow
Safari, along with other popular browsers following suit, has implemented an on-by-default privacy feature: Intelligent Tracking Protection (ITP). ITP blocks cookies from being sent across domains, thus breaking the standard pattern for implementing the implicit flow in single-page apps (SPAs), where silent iframes are used for single sign-on in the browser.
In response to browser cookie limitations, OAuth published a draft recommending that browser based applications now use the authorization code flow. The Microsoft identity platform now enables this through updates to our client library and Secure Token Server.
Get started
To take advantage of the latest recommended authentication flow in your browser-based application, follow the quickstart or tutorial. You will need to update your application to use the latest MSAL version and update your application registration in the Azure Portal.
-Microsoft identity platform team