How to configure msal-angular interceptor to send an access token (v2) to own domain (self)

Question

I updated to @azure/msal-angular v2 from v1. And I cannot figure out how to configure it to send an access token to my backend hosted on the same domain.

So when my frontend makes a request to /api/foo then the MsalInterceptor should attach my access token in the version 2 format - not version 1.

This makes it send a version 1 access token

const msalInterceptorConfig: MsalInterceptorConfiguration = {
  interactionType: InteractionType.Redirect,
  protectedResourceMap: new Map([
    ['/', ['openid']],
  ]),
};

I have managed to "trick" it by adding

const msalInterceptorConfig: MsalInterceptorConfiguration = {
  interactionType: InteractionType.Redirect,
  protectedResourceMap: new Map([
    ['/', [`api://${clientId}/access_as_user`]],
  ]),
};

But then AzureAD starts complaining

AADSTS90009: Application is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier

So that's not an option. How do I make MsalInterceptor send a version 2 access token to /?

score 2 · Accepted Answer · answered Jul 19 '21 at 09:32

I don't know if this is the correct way or even intended behaviour. But the following config sends a v2 access token to my backend.

const msalInterceptorConfig: MsalInterceptorConfiguration = {
  interactionType: InteractionType.Redirect,
  protectedResourceMap: new Map([
    ['/', [`${clientId}/openid`]],
  ]),
};

How to configure msal-angular interceptor to send an access token (v2) to own domain (self)

1 Answers1