MSAL Node or MSAL Browser?

[richban]

I am building a browser-based Single Page Application which is served through a Node.js (Express) web-server. I want the users to be able to sign in and the Web API A making calls to Web API B on behalves the user. For this use case I believe the OAuth 2.0 On-Behalf-Of flow is the proper protocol.

My question is whether I can use just the MSAL Node library or I need to use the MSAL Browser library to deal with the user authentication.

[richban]

with Node my idea would be: I would store the ID Token in a cookie and do the silent login using this cookie to access that account from the cache. Is this a recommended approach?

[derisen]

@richban apologies for delay! Ok, it sounds like you are conflating "web apps" and "single-page apps": both are served by a web server, but web apps perform most application logic on a web server, whereas in SPAs app logic runs on a browser. Because of this, web apps are called confidential client apps (i.e. they can hold data confidentially) in Azure AD jargon, whereas SPAs are called public client apps (as the app is exposed to public).

As you recognized, there is no need to couple a web app with a backend web api, because it already has a backend! So yeah, your scenario here is just a web app (a confidential client app) calling a web API (like your own or like MS Graph), using auth code flow. Check out this sample for a basic web app getting tokens for a web api, and this sample for a more realistic approach.

[richban]

@derisen thanks again for the clarification!

I am still hesitant which approach is the most optimal for my use case - sign in users and show some data. All I need is to obtain an Access Token and make fetch request to a Resource.

If I take the msal-node route my app will be confidential however I would need to implement a custom cache mechanism. On the other hand if I would chose the msal-browser route I would have the cache but my app is exposed to public.

Do I envision this trade off correctly?

[derisen]

@richban that sounds about right! Of course, MSAL follows best practices for securing SPAs, but in principle a confidential client app is deemed more secure at the end of the day. Eventually this is a decision you have to make. Its also important to consider the nature of the data that the users will be accessing in your scenario. Are they accessing their profile, for instance? Or, are they allowed to make some change that affects the whole tenant? These would affect your decision.

[richban]

@derisen thank you again, really appreciate it! Definitely learned a lot from these discussions.

[derisen]

@richban cheers!

[diberry]

@diberry notes to self for later