Microsoft-authentication-library-for-js: Relogin without login

Hi,
I'm also facing this issue. What can we do to avoid the user having to login every hour?

As mentioned in issue #61 this library uses the preferred implicit flow. Which is according to Azure AD documentation the preferred way for SPA's.

@rohitnarula7176 @jmprieur It would be nice if one of you could answer the question. What do we have to do, that the user do not have to log in on every visit of the page? Is this not supported?

@VSDekar you will have to write additional code to periodically call acquireTokenSilent every one hour to make sure your session cookie does not expire in the browser.

@rohitnarula7176 ok thanks for your answer. It is so sad that this project does not listen to the community and what they need. This library works against me and not with me..., so I will switch over to Hello.js. Over there i can make a silent login even after 1 week. I don't know what they do, but apparently they do a much better job in listening to the users and what they need.

For others that come across this Issue:
You should consider to switch from MSAL to Hello.js. Here is a nice tutorial i have found:
https://medium.com/@mikko.vuorinen/aurelia-and-azure-ad-b2c-authentication-351fbe2de348

Sorry for the rant. But i have read so many issues here, and a lot of them are getting closed without a solution because this library "is written in a certain manner".

Cheers

@VSDekar I apologize for the misunderstanding. I believe the silent token renewal you are referring to in hello.js is not silent. You should see your webpage redirecting to the authorization endpoint and then back to your root page in any case. The only thing msal is doing different is adding prompt='select_account' which introduces an additional select account screen. The reason to add this is to allow the user the select an appropriate account and not just pick any account from the list of signed in accounts in the browser. If you have a valid session cookie, you can have a look at my explanation in the following issue to get the desired behavior, Instead of calling login, you will have to call acquireTokenSilent by passing a user object which will send prompt='none' and you wont't need to login again. https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/208

@VSDekar , I went into a confused path as well. In short, from what I understand, TokenCache in MSAL is the replacement/abstraction for refresh_token. You need to save TokenCache for later access. (acquireTokenSilent will require an IAccount as parameter which you would only get from a saved TokenCache)

Provided a bit more of my understanding here: https://stackoverflow.com/a/58482305/1578962

PS, what I mentioned above is for MSAL.NET (not for .JS). Can't confirm the behavior for .JS.

@AAATechGuy : I don't think that there is a refresh token in MSAL.js (which uses the implicit flow, which is a bit different from the other OAuth 2.0 flows)

What you saw applies to the other MSAL libraries (MSAL.NET, MSAL for iOS and Mac OS, MSAL Android, Python, Java), but I don't think it applies to .JS

cc: @negoe to confirm.

Yes @jmprieur, refresh token does not apply for implicit flow grant which is the current implementation for msal js as that was the recommended flow for SPAs when we started. We are extending the library to support auth-code flow in browsers as it is the new recommendation for SPAs in the upcoming months.