MSAL
The Microsoft Authentication Library (MSAL) is a helper library that enables developers to acquire security tokens from the Identity platform. It can be used to provide sceure access to:
- Graph and other Microsoft APIs
- Third-party web APIs
- Your own web API
MSAL provides a consistent API with many ways to get tokens. It provides the following benefits:
- Saves you from reimplementing OAuth or using OAuth libraries
- Supports both user and app restricted flows
- Performs token management for you
- Actionable exceptions and solid logging helps with debugging
Lang/arch support
| Library | Supported platforms and frameworks |
|---|---|
| MSAL for Android | Android |
| MSAL Angular | Single-page apps with Angular and Angular.js frameworks |
| MSAL for iOS and macOS | iOS and macOS |
| MSAL Go (Preview) | Windows, macOS, Linux |
| MSAL Java | Windows, macOS, Linux |
| MSAL.js | JavaScript/TypeScript frameworks such as Vue.js, Ember.js, or Durandal.js |
| MSAL.NET | .NET Framework, .NET, .NET MAUI, WINUI, Xamarin Android, Xamarin iOS, Universal Windows Platform |
| MSAL Node | Web apps with Express, desktop apps with Electron, Cross-platform console apps |
| MSAL Python | Windows, macOS, Linux |
| MSAL React | Single-page apps with React and React-based libraries (Next.js, Gatsby.js) |
Auth flow support
| Authentication flow | Enables | Supported application types |
|---|---|---|
| Authorization code | User sign-in and access to web APIs on behalf of the user. | Desktop, Mobile, Single-page app (SPA) (requires PKCE), Web |
| Client credentials | Access to web APIs by using the identity of the application itself. Typically used for server-to-server communication and automated scripts requiring no user interaction. | Daemon |
| Device code | User sign-in and access to web APIs on behalf of the user on input-constrained devices like smart TVs and IoT devices. Also used by command line interface (CLI) applications. | Desktop, Mobile |
| Implicit grant | User sign-in and access to web APIs on behalf of the user. The implicit grant flow is no longer recommended - use authorization code with PKCE instead. | Single-page app (SPA), Web |
| On-behalf-of (OBO) | Access from an "upstream" web API to a "downstream" web API on behalf of the user. The user's identity and delegated permissions are passed through to the downstream API from the upstream API. | Web API |
| Username/password (ROPC) | Allows an application to sign in the user by directly handling their password. The ROPC flow is NOT recommended. | Desktop, Mobile |
| Integrated Windows authentication (IWA) | Allows applications on domain or Microsoft Entra joined computers to acquire a token silently (without any UI interaction from the user). | Desktop, Mobile |
Public/confidential clients
Public
Application runs on devices: desktops, mobile, browser. Can't be trusted because the source code is readable/disassemblable. Can't have client secrets.Confidential
Application runs on services: web apps, web API apps, services/daemons. Source is not readable/disassemblable at runtime. Can hold configuration-time client secrets to prove identity.
In code
In order to get started with MSAL, you will need to have registered your app with the Microsoft Identity platform. You might then need any of the following information that can be found in the portal:
Application ID(client ID)Directory ID(tenant ID)Authority(provider URL + sign-in audience)Credentials(confidential) (secret/X509Certificate2)Redirect URIthe response route for the security token
You can instantiate a public or confidential client using the MSAL library
// public
var app = PublicClientApplicationBuilder
.Create(clientId)
.Build();
// confidential
var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithRedirectUri(redirectUri)
.Build();
Builders use .With modifier methods during construction.
| Modifier | Description |
|---|---|
.WithAuthority() |
Sets the application default authority to a Microsoft Entra authority, with the possibility of choosing the Azure Cloud, the audience, the tenant (tenant ID or domain name), or providing directly the authority URI. |
.WithTenantId(string tenantId) |
Overrides the tenant ID, or the tenant description. |
.WithClientId(string) |
Overrides the client ID. |
.WithRedirectUri(string redirectUri) |
Overrides the default redirect URI. This is useful for scenarios requiring a broker. |
.WithComponent(string) |
Sets the name of the library using MSAL.NET (for telemetry reasons). |
.WithDebugLoggingCallback() |
If called, the application calls Debug.Write simply enabling debugging traces. |
.WithLogging() |
If called, the application calls a callback with debugging traces. |
.WithTelemetry(TelemetryCallback telemetryCallback) |
Sets the delegate used to send telemetry. |
Some modifiers are specific to confidential clients, like .WithCertificate and .WithClientSecret. Additionally, these two modifiers are mutually exclusive. Calling both throws a meaningful exception. |