Authentication By MSAL

Question 1

What is MSAL?

Answer 1

• Microsoft authentication library
• enables Devs to acquire security tokens from MIP to authenticate users and access secured web APIs
• can be used to provide access to MS graph, other MS APIs, 3rd party APIs or own web API
• Supports .NET, JS, Java, Python

Question 2

What benefits does MSAL provide?

Answer 2

• No need to directly use Oauth libraries or code against the protocol in your app
• Acquires tokens on behalf of user or on behalf of an app
• Maintains a token cache and refreshes tokens for you when theyre close to expire
• helps specify which audience you want your app to sign-in
• helps you set up your app from config files

Question 3

Where can MSAL acquire tokens from?

Answer 3

• web apps
• web APIs
• SPAs
• mobile and native apps
• Daemons and service side apps

Question 4

What are the names of the the MSAL auth flows?

Answer 4

• Authorization code
• Client credentials
• Device code
• Implicit grant
• On behalf Of
• Username/password
• Integrated windows Auth

Question 5

What is authorization Code MSAL flow?

Answer 5

User sign-in and access to web APIs on half of user, supported on desktop SPs mobile and web

Question 6

What is client credentials MSAL flow?

Answer 6

Access to web APIs by using ID of the app itself, used for server-server communication and automated scripts requiring no user interaction (azure functions)

Question 7

What is device code MSAL flow?

Answer 7

• user sign-in and access to web APIs on behalf of user on Input-constrained devices like smart TVs and CLIs

Question 8

What is implicit grant MSAL flow?

Answer 8

User sign-in and access to web APIs on behalf of user supported on SPAs and web apps

Question 9

What is On Behalf Of MSAL flow?

Answer 9

• Access from an upstream web API to a downstream web API on behalf of user
• users ID and delegated perms are passed through to downstream API

Question 10

What is integrated windows auth MSAL flow?

Answer 10

Allows apps on domain or Entra joined computer to acquire a token silently without UI interaction

Question 11

What is a client in relation to MSAL?

Answer 11

• Software entity that has a unique ID assigned by an ID provider
• MSAL defines both public and confidential clients
• Client types differ on their ability to authenticate securely with the authorisation server and to hold sensitive ID proving info so that it cant be accessed or known to a user within scope of its access

Question 12

What are MSAL public client apps?

Answer 12

• Run on devices such as desktop, browserless APIs, mobile or client side browser apps
• cant be trusted to safely keep app secrets so they can only access web APIs on behalf of user
• cant have client secrets

Question 13

What are MSAL confidential client apps?

Answer 13

• Run on servers such as web apps, web API apps or service/daemon apps
• considered difficult to access by users or attackers and therefore can adequately hold config time secrets to assert proof of ID
• Client ID is exposed through the web browser but the secret is passed only in back channel and never directly exposed

Question 14

What is the recommended way to initialise an app with MSAL? What will we need to provide?

Answer 14

• App builders “PublicClientApplicationBuilder” and “ConfidentialClientApplicationBuilder”
• App ID, directory tenant ID, authority, client credentials and any potential redirect URI

Question 15

What are common modifiers to public and confidential client apps?

Answer 15

.WithAuthority
.WithTenantID
.WithClientId
.WithRedirectUri
.WithComponent
.WithDebugLoggingCallback
.WithLogging
.WithTelemetry

Question 16

What are modifiers specific to confidential client apps?

Answer 16

.WithCertificate
.WithClientSecret