I think adaljs should add support for authentication using a pop-up instead of a full redirect.
There are two major benefits to using this technique:
- Much easier for developers!
- Works with SPA frameworks.
Much easier for developers!
With the pop-up method more of the conceptual complexity can be abstracted into the adaljs library and the developer can have much easier time using the library. Adaljs currently does a full redirect and then in order to work with angularjs router there is a bunch of code like:
$rootScope.$on('$locationChangeStart', locationChangeHandler);
....
var locationChangeHandler = function () {
var hash = $window.location.hash;
if (_adal.isCallback(hash)) {
// callback can come from login or iframe request
var requestInfo = _adal.getRequestInfo(hash);
_adal.saveTokenFromHash(requestInfo);
....
This is watching the url and if it has a parameter of 'id_token' then it saves the tokens etc.. This logic is currently exposed to the framework such as AngularJS and would have to re-written for every framework which is the largest barrier to using adaljs. Now imagine you have to rewrite all of this for Ember, React, Knockout, etc... way too much overhead especially when people have to try to integrate into existing projects which may already have complex router configurations.
I hope in the future adaljs is modeled after other major JS OAuth SDK's such as Facebook or Google.
FB: http://connect.facebook.net/en_US/all.js
Google: https://apis.google.com/js/client.js?onload=googleApiLoaded
With pop-up style of authentication you can get rid of all url watching stuff in angular and have a simple call like:
FB.login(function(fbResponse) {
if (fbResponse.authResponse) {
Ember.run(function() {
resolve({ accessToken: fbResponse.authResponse.accessToken });
});
} else {
reject();
}
});
This encapsulates the entire login process in one asynchronous call! Yes, with pop-ups there is a the possibility that pop-ups maybe disabled, but the benefits out weigh this greatly. Especially if this is an option the developer can choose. Just realize what that means for ease of use! FB/Google SDK's handle setting up the window and watching that frame's url for change and closing then it has redirected. I assume this is extremely similar to how the Windows 8 WebAuthenticationBroker works.
Works with SPA frameworks.
The first point was more about how the pop-up can greatly simply needed code and reduce learning for developers, this second point is more about just explaining why the full redirect breaks other SPA frameworks and the pop-up solves the issue. Most SPA frameworks have a router which watches for changes in the hash which correlate to a route as seen in AngularJS. With the full redirect happens the router will attempt to navigate to route 'id_token' which won't exist and thus cause an error. It seems that AAD is always putting the id_token in the hash portion of the url such as adal.html#id_token=eyJ0eXAiOiJKV1Qi...
when I would expect it to be able to control this and put it in the search portion of the url such as adal.html?id_token=eyJ0eXAiOiJKV1Qi....
Even if I change the line:
str.push('redirect_uri=' + encodeURIComponent(obj.redirectUri) + '%3F');
I assumed it would append the id_token=asdfasdf to the ? but it still overrides and uses hash. I assume this is because the hash portion of the url can be changed without page refresh, but perhaps someone can clarify if this is infact customizable by the adaljs request to AAD.