63296302

Date: 2020-08-07 07:27:54
Score: 4
Natty:
Report link

Access tokens are acquired in the background and never expire unless user logs out. Is there a way to log user out after certain period of time/inactivity?

You could change TokenLifetimePolicy of the token lifetime defaults. For the full documentation, see here. Follow the answer to create and set the Token Lifetime Policy.

@azure/msal-angular uses implicit grant flow which receives user tokens in url fragments, which seems not secure. Is auth code a better way to go about it?

Yes, auth code flow is better. As the doc shows, "There are a few important security considerations to take into account when using the implicit flow specifically around client and user impersonation". Auth code flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint, as well as refresh tokens to get additional access_tokens and ID tokens for the signed-in user. You could use auth code flow with PKCE, this is the sample.

Reasons:
  • Blacklisted phrase (1): stackoverflow
  • Blacklisted phrase (1): Is there a way
  • Long answer (-0.5):
  • No code block (0.5):
  • Contains question mark (0.5):
  • User mentioned (1): @azure/msal-angular
  • Low reputation (0.5):
Posted by: Pamela Peng