Update Authentication to use local storage and easy auth refresh (#1117)

mattgotteiner · Matt Gotteiner · web-flow · commit 0b8724ad761c · 2024-01-08T16:50:50.000-08:00
* switch to localstorage; add refresh

* run prettier

* fix tests

---------

Co-authored-by: Matt Gotteiner &lt;magottei@microsoft.com&gt;
diff --git a/app/backend/core/authentication.py b/app/backend/core/authentication.py
@@ -65,9 +65,11 @@ def get_auth_setup_for_client(self) -> dict[str, Any]:
                     "navigateToLoginRequestUrl": False,  # If "true", will navigate back to the original request location before processing the auth code response.
                 },
                 "cache": {
-                    "cacheLocation": "sessionStorage",
+                    # Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO between tabs.
+                    "cacheLocation": "localStorage",
+                    # Set this to "true" if you are having issues on IE11 or Edge
                     "storeAuthStateInCookie": False,
-                },  # Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO between tabs.  # Set this to "true" if you are having issues on IE11 or Edge
+                },
             },
             "loginRequest": {
                 # Scopes you add here will be prompted for user consent during sign-in.
diff --git a/app/frontend/src/authConfig.ts b/app/frontend/src/authConfig.ts
@@ -3,6 +3,7 @@
 import { IPublicClientApplication } from "@azure/msal-browser";
 
 const appServicesAuthTokenUrl = ".auth/me";
+const appServicesAuthTokenRefreshUrl = ".auth/refresh";
 const appServicesAuthLogoutUrl = ".auth/logout?post_logout_redirect_uri=/";
 
 interface AppServicesToken {
@@ -88,18 +89,24 @@ export const getRedirectUri = () => {
 // Get an access token if a user logged in using app services authentication
 // Returns null if the app doesn't support app services authentication
 const getAppServicesToken = (): Promise<AppServicesToken | null> => {
-    return fetch(appServicesAuthTokenUrl).then(r => {
+    return fetch(appServicesAuthTokenRefreshUrl).then(r => {
         if (r.ok) {
-            return r.json().then(json => {
-                if (json.length > 0) {
-                    return {
-                        id_token: json[0]["id_token"] as string,
-                        access_token: json[0]["access_token"] as string,
-                        user_claims: json[0]["user_claims"].reduce((acc: Record<string, any>, item: Record<string, any>) => {
-                            acc[item.typ] = item.val;
-                            return acc;
-                        }, {}) as Record<string, any>
-                    };
+            return fetch(appServicesAuthTokenUrl).then(r => {
+                if (r.ok) {
+                    return r.json().then(json => {
+                        if (json.length > 0) {
+                            return {
+                                id_token: json[0]["id_token"] as string,
+                                access_token: json[0]["access_token"] as string,
+                                user_claims: json[0]["user_claims"].reduce((acc: Record<string, any>, item: Record<string, any>) => {
+                                    acc[item.typ] = item.val;
+                                    return acc;
+                                }, {}) as Record<string, any>
+                            };
+                        }
+
+                        return null;
+                    });
                 }
 
                 return null;
diff --git a/tests/test_authenticationhelper.py b/tests/test_authenticationhelper.py
@@ -80,7 +80,7 @@ def test_auth_setup(mock_confidential_client_success):
                 "postLogoutRedirectUri": "/",
                 "navigateToLoginRequestUrl": False,
             },
-            "cache": {"cacheLocation": "sessionStorage", "storeAuthStateInCookie": False},
+            "cache": {"cacheLocation": "localStorage", "storeAuthStateInCookie": False},
         },
         "loginRequest": {
             "scopes": [".default"],
@@ -104,7 +104,7 @@ def test_auth_setup_required_access_control(mock_confidential_client_success):
                 "postLogoutRedirectUri": "/",
                 "navigateToLoginRequestUrl": False,
             },
-            "cache": {"cacheLocation": "sessionStorage", "storeAuthStateInCookie": False},
+            "cache": {"cacheLocation": "localStorage", "storeAuthStateInCookie": False},
         },
         "loginRequest": {
             "scopes": [".default"],
