Azure B2C - Maintain a login session and manage access tokens in a SPA (React)

Sharat Menon 1 Reputation point
2020-11-09T04:20:16.07+00:00

Hi

1) We are using Azure B2C to manage external users sign in, sign up, password reset, MFA for a Single page app . Currently we are using MSAL 2.2.0 (tried 2.4.1 as well) to login the user using the msal.loginredirect flow.

Once the user is logged in , we use the msal.getAllAccounts(); call to check if the user is logged in. Every time we refresh a page or navigate from one route to another the msal.getAllAccounts() return no accounts. If there are no accounts we cannot make the acquireTokenSilent call and have to make the login redirect call which is not a good solution.

How do we use the acquireTokenSilent flow without an account object ?

(I am using a custom policy in our use case and have defined session type/timeouts and token lifetimes in the sign in/sign up relying party file)

2) We are also using access tokens based on a scope defined on the API registration in B2C. Every time we make an API call we look for an access token with
the below request "msal.acquireTokenSilent(silentTokenRequest )", if the silent call fails we make a msal.loginredirect request again and look for the account needed for the silent call.

Is this the right way of handling access tokens as well ?

export const silentTokenRequest = {
scopes: ["https://abcd.onmicrosoft.com/api/data.write"],
account: null,
redirectUri: msalConfig.redirectUri,
forceRefresh: false
}

Thanks!
Sharat

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,917 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,461 Reputation points
    2020-11-09T19:32:12.647+00:00
    1. Configure MSAL to use localStorage instead of sessionStorage.
    2. Usually you would call one of the acquireToken variants if the error is an instance of InteractionRequiredAuthError. Please take a look to Acquiring an Access Token.

    Let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.