| title | description | services | documentationcenter | author | manager | editor | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
include file |
include file |
active-directory |
dev-center-name |
navyasric |
CelesteDG |
active-directory |
na |
include |
na |
identity |
09/17/2018 |
nacanuma |
include file |
-
Add the following code to your
index.htmlfile within the<script></script>tags:var msalConfig = { auth: { clientId: "Enter_the_Application_Id_here" authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here" }, cache: { cacheLocation: "localStorage", storeAuthStateInCookie: true } }; var graphConfig = { graphMeEndpoint: "https://graph.microsoft.com/v1.0/me" }; // this can be used for login or token request, however in more complex situations // this can have diverging options var requestObj = { scopes: ["user.read"] }; var myMSALObj = new Msal.UserAgentApplication(msalConfig); // Register Callbacks for redirect flow myMSALObj.handleRedirectCallback(authRedirectCallBack); function signIn() { myMSALObj.loginPopup(requestObj).then(function (loginResponse) { //Login Success showWelcomeMessage(); acquireTokenPopupAndCallMSGraph(); }).catch(function (error) { console.log(error); }); } function acquireTokenPopupAndCallMSGraph() { //Always start with acquireTokenSilent to obtain a token in the signed in user from cache myMSALObj.acquireTokenSilent(requestObj).then(function (tokenResponse) { callMSGraph(graphConfig.graphMeEndpoint, tokenResponse.accessToken, graphAPICallback); }).catch(function (error) { console.log(error); // Upon acquireTokenSilent failure (due to consent or interaction or login required ONLY) // Call acquireTokenPopup(popup window) if (requiresInteraction(error.errorCode)) { myMSALObj.acquireTokenPopup(requestObj).then(function (tokenResponse) { callMSGraph(graphConfig.graphMeEndpoint, tokenResponse.accessToken, graphAPICallback); }).catch(function (error) { console.log(error); }); } }); } function graphAPICallback(data) { document.getElementById("json").innerHTML = JSON.stringify(data, null, 2); } function showWelcomeMessage() { var divWelcome = document.getElementById('WelcomeMessage'); divWelcome.innerHTML = 'Welcome ' + myMSALObj.getAccount().userName + "to Microsoft Graph API"; var loginbutton = document.getElementById('SignIn'); loginbutton.innerHTML = 'Sign Out'; loginbutton.setAttribute('onclick', 'signOut();'); } //This function can be removed if you do not need to support IE function acquireTokenRedirectAndCallMSGraph() { //Always start with acquireTokenSilent to obtain a token in the signed in user from cache myMSALObj.acquireTokenSilent(requestObj).then(function (tokenResponse) { callMSGraph(graphConfig.graphMeEndpoint, tokenResponse.accessToken, graphAPICallback); }).catch(function (error) { console.log(error); // Upon acquireTokenSilent failure (due to consent or interaction or login required ONLY) // Call acquireTokenRedirect if (requiresInteraction(error.errorCode)) { myMSALObj.acquireTokenRedirect(requestObj); } }); } function authRedirectCallBack(error, response) { if (error) { console.log(error); } else { if (response.tokenType === "access_token") { callMSGraph(graphConfig.graphEndpoint, response.accessToken, graphAPICallback); } else { console.log("token type is:" + response.tokenType); } } } function requiresInteraction(errorCode) { if (!errorCode || !errorCode.length) { return false; } return errorCode === "consent_required" || errorCode === "interaction_required" || errorCode === "login_required"; } // Browser check variables var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); var msie11 = ua.indexOf('Trident/'); var msedge = ua.indexOf('Edge/'); var isIE = msie > 0 || msie11 > 0; var isEdge = msedge > 0; //If you support IE, our recommendation is that you sign-in using Redirect APIs //If you as a developer are testing using Edge InPrivate mode, please add "isEdge" to the if check // can change this to default an experience outside browser use var loginType = isIE ? "REDIRECT" : "POPUP"; if (loginType === 'POPUP') { if (myMSALObj.getAccount()) {// avoid duplicate code execution on page load in case of iframe and popup window. showWelcomeMessage(); acquireTokenPopupAndCallMSGraph(); } } else if (loginType === 'REDIRECT') { document.getElementById("SignIn").onclick = function () { myMSALObj.loginRedirect(requestObj); }; if (myMSALObj.getAccount() && !myMSALObj.isCallback(window.location.hash)) {// avoid duplicate code execution on page load in case of iframe and popup window. showWelcomeMessage(); acquireTokenRedirectAndCallMSGraph(); } } else { console.error('Please set a valid login type'); }
After a user clicks the Sign In button for the first time, the signIn method calls loginPopup to sign in the user. This method results in opening a popup window with the Microsoft identity platform endpoint to prompt and validate the user's credentials. As a result of a successful sign-in, the user is redirected back to the original index.html page, and a token is received, processed by msal.js and the information contained in the token is cached. This token is known as the ID token and contains basic information about the user, such as the user display name. If you plan to use any data provided by this token for any purposes, you need to make sure this token is validated by your backend server to guarantee that the token was issued to a valid user for your application.
The SPA generated by this guide calls acquireTokenSilent and/or acquireTokenPopup to acquire an access token used to query the Microsoft Graph API for user profile info. If you need a sample that validates the ID token, take a look at this sample application in GitHub – the sample uses an ASP.NET Web API for token validation.
After the initial sign-in, you do not want to ask users to reauthenticate every time they need to request a token to access a resource – so acquireTokenSilent should be used most of the time to acquire tokens. There are situations however that you need to force users to interact with Microsoft identity platform endpoint – some examples include:
- Users may need to reenter their credentials because the password has expired
- Your application is requesting access to a resource that the user needs to consent to
- Two factor authentication is required
Calling the acquireTokenPopup results in a popup window (or acquireTokenRedirect results in redirecting users to the Microsoft identity platform endpoint) where users need to interact by either confirming their credentials, giving the consent to the required resource, or completing the two factor authentication.
The acquireTokenSilent method handles token acquisitions and renewal without any user interaction. After loginPopup (or loginRedirect) is executed for the first time, acquireTokenSilent is the method commonly used to obtain tokens used to access protected resources for subsequent calls - as calls to request or renew tokens are made silently.
acquireTokenSilent may fail in some cases – for example, the user's password has expired. Your application can handle this exception in two ways:
-
Make a call to
acquireTokenPopupimmediately, which results in prompting the user to sign in. This pattern is commonly used in online applications where there is no unauthenticated content in the application available to the user. The sample generated by this guided setup uses this pattern. -
Applications can also make a visual indication to the user that an interactive sign-in is required, so the user can select the right time to sign in, or the application can retry
acquireTokenSilentat a later time. This is commonly used when the user can use other functionality of the application without being disrupted - for example, there is unauthenticated content available in the application. In this case, the user can decide when they want to sign in to access the protected resource, or to refresh the outdated information.
Note
This quickstart uses the loginRedirect and acquireTokenRedirect methods when the browser used is Internet Explorer due to a known issue related to handling of popup windows by Internet Explorer browser.
Add the following code to your index.html file within the <script></script> tags:
function callMSGraph(theUrl, accessToken, callback) {
var xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function () {
if (this.readyState == 4 && this.status == 200)
callback(JSON.parse(this.responseText));
}
xmlHttp.open("GET", theUrl, true); // true for asynchronous
xmlHttp.setRequestHeader('Authorization', 'Bearer ' + accessToken);
xmlHttp.send();
}In the sample application created by this guide, the callMSGraph() method is used to make an HTTP GET request against a protected resource that requires a token and then return the content to the caller. This method adds the acquired token in the HTTP Authorization header. For the sample application created by this guide, the resource is the Microsoft Graph API me endpoint – which displays the user's profile information.
Add the following code to your index.html file within the <script></script> tags:
/**
* Sign out the user
*/
function signOut() {
myMSALObj.logout();
}