Add support for authentication using pop-up method instead of full redirect. about azure-activedirectory-library-for-js HOT 5 CLOSED

We have added the popUp support in 1.0.12. Set popUp: true in config to enable logging in using pop up. We will update our samples soon to reflect that.

from azure-activedirectory-library-for-js.

Can you provide an example of logging in using PopUp in Iframe for angular 2+?

from azure-activedirectory-library-for-js.

Today Azure AD does not allow the credential gathering UX to be hosted in an iFrame, for security reasons. This is very unlikely to change anytime soon, and without that ability it would be pretty hard to achieve a popup behavior. On mobile platforms, a top use case, popping out another browser window would also be impractical... about the placement of the id_token, that follows the oauth/openid connect specs and is meant to ensure that the token will be delivered to the user agent but not the server.

from azure-activedirectory-library-for-js.

Oh, I see. Thanks for quick response! I'll close this one then.

from azure-activedirectory-library-for-js.

Now that ADAL.js v1 is out and the ground work of getting implicit grant flow working is done and developers looking to use this authentication flow are unblocked is there any chance this issue would be re-opened for the next version? Or if not, maybe a timeline of when this would happen if ever?

I would guess for the next version of ADAL the main goal is to refine the library and make it as simple to integrate and use as possible. As seen in the explanation above, enabling the login page to be loaded in a separate frame can reduce the surface area of your library to one call which returns a promise and that is about as ideal as you can get. From my experience with twitter and facebook libraries, the mobile browsers automatically handle this scenario and will force the popup to be frameless so it appears naturally.

I'm not familiar with the security reasons for not allowing the login page to be in iframe. I thought it allows people to use the login page in ways that are non-uniform and malicious people could try to spoof the UI and trick users to enter credentials into a 'fake' login page with similar look at feel, but perhaps there are more serious reasons preventing this feature.

from azure-activedirectory-library-for-js.