Ocean Authentication Library for JavaScript (OAL.js) for Browser-Based Single-Page Applications

![npm version](https://www.npmjs.com/package/@oatlas/oal-browser/)
![npm version](https://nodei.co/npm/@oatlas/oal-browser/)
![codecov](https://codecov.io/gh/OAtlas/ocean-authentication-library-for-js)

| Getting Started | AAD Docs | Library Reference |
| --------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |

1. About
1. FAQ
1. Changelog
1. Roadmap
1. Prerequisites
1. Installation
1. Usage
- Migrating from Previous OAL Versions
- OAL Basics
- Advanced Topics
1. Samples
1. Build and Test
1. Authorization Code vs Implicit
1. Framework Wrappers
1. Security Reporting
1. License
1. Code of Conduct

About

The OAL library for JavaScript enables client-side JavaScript applications to authenticate users using Azure AD work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through Atlas B2C service. It also enables your app to get tokens to access Microsoft Cloud services such as Microsoft Graph.

The @oatlas/oal-browser package described by the code in this folder uses the @oatlas/oal-common package as a dependency to enable authentication in JavaScript Single-Page Applications without backend servers. This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section below.

This is an improvement upon the previous @oatlas/OAL library which will utilize the authorization code flow in the browser. Most features available in the old library will be available in this one, but there are nuances to the authentication flow in both. The @oatlas/oal-browser package does NOT support the implicit flow.

FAQ

See here.

Roadmap

See here.

Prerequisites

- @oatlas/oal-browser is meant to be used in Single-Page Application scenarios.

- Before using @oatlas/oal-browser you will need to register a Single Page Application in Azure AD to get a valid clientId for configuration, and to register the routes that your app will accept redirect traffic on.

Installation

$3

``javascript npm install @oatlas/oal-browser`

`Usage`

`$3`

- Migrating from OAL v1.x to OAL v2.x - Migrating from OAL v2.x to OAL v3.x

`$3`

1. Initialization 2. Logging in a User 3. Acquiring and Using an Access Token 4. Managing Token Lifetimes 5. Managing Accounts 6. Logging Out a User

`$3`

- Configuration Options - Request and Response Details - Cache Storage - Performance Enhancements - Instance Aware Flow

`Samples`

The oal-browser-samples folder contains sample applications for our libraries.

More instructions to run the samples can be found in the README.md file of the VanillaJSTestApp2.0 folder.

More advanced samples backed with a tutorial can be found in the Azure Samples space on GitHub:

- JavaScript SPA calling Express.js web API - JavaScript SPA calling Microsoft Graph via Express.js web API using on-behalf-of flow - Deployment tutorial for Azure App Service and Azure Storage

We also provide samples for addin/plugin scenarios:

- Office Addin-in using OAL.js - Teams Tab using OAL.js - Chromium Extension using OAL.js

`Build and Test`

See the contributing.md file for more information.

`$3`

To build the @oatlas/oal-browser library, you can do the following:

`bash // Change to the oal-browser package directory cd lib/oal-browser/ // To run build only for browser package npm run build`

To build both the @oatlas/oal-browser library and @oatlas/oal-common libraries, you can do the following:

`bash // Change to the oal-browser package directory cd lib/oal-browser/ // To run build for both browser and common packages npm run build:all`

`$3`

@oatlas/oal-browser uses jest to run unit tests.

`bash // To run tests npm test // To run tests with code coverage npm run test:coverage`

`Implicit Flow vs Authorization Code Flow with PKCE`

@oatlas/oal-browser implements the OAuth 2.0 Authorization Code Flow with PKCE for browser-based applications. This is a significant improvement over the Implicit Flow that was used in @oatlas/OAL, OAL or adal-angular.

`$3`

The Authorization Code Flow with Proof Key for Code Exchange (PKCE) is the current industry standard for securing OAuth 2.0 authorization in public clients, including single-page applications (SPAs). Key benefits include:

- Enhanced Security: PKCE provides protection against authorization code interception attacks - No Tokens in URLs: Tokens are never exposed in the browser's URL or history - Refresh Token Support: Enables long-lived sessions through refresh tokens - OIDC Compliance: Fully compliant with OpenID Connect standards

`$3`

The Implicit Flow was the previous standard for SPAs but has been deprecated due to security concerns:

- Tokens in URLs: Access tokens are returned in URL fragments, making them visible in browser history and server logs - No Refresh Tokens: Implicit flow cannot securely deliver refresh tokens to public clients - Increased Attack Surface: Tokens are more susceptible to token leakage attacks

`$3`

- @oatlas/oal-browser only supports Authorization Code Flow with PKCE- Implicit Flow is not supported - If you're migrating from@oatlas/OAL, OAL or adal-angular`, see our migration guide
- Your Azure AD app registration needs to be configured for the Authorization Code Flow
- Existing applications using Implicit Flow should migrate to Authorization Code Flow for improved security

For more technical details about these flows, refer to the Microsoft identity platform documentation.

Framework Wrappers

If you are using a framework such as Angular or React you may be interested in using one of our wrapper libraries:

- Angular: @oatlas/oal-angular v2
- React: @oatlas/oal-react

Security Reporting

If you find a security issue with our libraries or services please report it to secure@oceansln.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.

License

We Value and Adhere to the Microsoft Open Source Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@oceansln.com with any additional questions or comments.

Ocean Authentication Library for JavaScript (OAL.js) for Browser-Based Single-Page Applications

About

FAQ

See here.

Roadmap

See here.

Prerequisites

- @oatlas/oal-browser is meant to be used in Single-Page Application scenarios.

Installation

$3

``javascript npm install @oatlas/oal-browser`

`Usage`

`$3`

- Migrating from OAL v1.x to OAL v2.x - Migrating from OAL v2.x to OAL v3.x

`$3`

1. Initialization 2. Logging in a User 3. Acquiring and Using an Access Token 4. Managing Token Lifetimes 5. Managing Accounts 6. Logging Out a User

`$3`

- Configuration Options - Request and Response Details - Cache Storage - Performance Enhancements - Instance Aware Flow

`Samples`

The oal-browser-samples folder contains sample applications for our libraries.

More instructions to run the samples can be found in the README.md file of the VanillaJSTestApp2.0 folder.

More advanced samples backed with a tutorial can be found in the Azure Samples space on GitHub:

- JavaScript SPA calling Express.js web API - JavaScript SPA calling Microsoft Graph via Express.js web API using on-behalf-of flow - Deployment tutorial for Azure App Service and Azure Storage

We also provide samples for addin/plugin scenarios:

- Office Addin-in using OAL.js - Teams Tab using OAL.js - Chromium Extension using OAL.js

`Build and Test`

See the contributing.md file for more information.

`$3`

To build the @oatlas/oal-browser library, you can do the following:

`bash // Change to the oal-browser package directory cd lib/oal-browser/ // To run build only for browser package npm run build`

To build both the @oatlas/oal-browser library and @oatlas/oal-common libraries, you can do the following:

`bash // Change to the oal-browser package directory cd lib/oal-browser/ // To run build for both browser and common packages npm run build:all`

`$3`

@oatlas/oal-browser uses jest to run unit tests.

`bash // To run tests npm test // To run tests with code coverage npm run test:coverage`

`Implicit Flow vs Authorization Code Flow with PKCE`

`$3`

The Implicit Flow was the previous standard for SPAs but has been deprecated due to security concerns:

`$3`

For more technical details about these flows, refer to the Microsoft identity platform documentation.

Framework Wrappers

If you are using a framework such as Angular or React you may be interested in using one of our wrapper libraries:

- Angular: @oatlas/oal-angular v2
- React: @oatlas/oal-react

Security Reporting

License

We Value and Adhere to the Microsoft Open Source Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@oceansln.com with any additional questions or comments.