0

We're working on moving some apps from Razor Pages to React, and we'd like to use Microsoft Identity Platform for authentication via MSAL.

Some of these apps are multi-tenant, and we want to be able to validate that a given tenant is set up and authorized when a user logs in. Today, we do that in .NET via the OnTokenValidated event by pulling the email domain or tenant ID from the token claims and comparing it to our app's list of authorized tenants in our databases.

In MSAL, I'm not entirely clear how to accomplish that. The MS docs say, "If you allow multi-tenant authentication, and you do not wish to allow all Microsoft account users to use your application, you must provide your own method of filtering the token issuers to only those tenants who are allowed to login" (in https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/multi-tenant.md#multi-tenant).

Where in the React login or token acquisition process can I inspect the claims in order to perform this filtering? How are others handling these kinds of checks with MSAL on a SPA front-end framework like React?

Josh Anderson
  • 5,975
  • 2
  • 35
  • 48
  • 1
    In my opinion what you want to do is unsafe, you should not be doing the multi-tenant filter in the React, unless you doing SSR. Frontend should be treated as hostile environment. Just imagine someone using MiTM software as Burp Suite, where you can capture the msal response and change the tenant, or just find the filtering method in the app.js file and alter it or remove it completely. This should be done by backend. – Luke Celitan Apr 27 '22 at 19:59
  • It is done in the backend as well. The flow expected here is to conduct the login on the front-end via MSAL, then connect to a BFF API which will also get the token and validate access. There would be no way to circumvent the back-end auth since it's also plugged into the MS Identity Platform. But your point is valid - we could (probably should) simply push that validation process to the back-end and use the response to drive the UI feedback to the user. – Josh Anderson Apr 27 '22 at 20:54

0 Answers0