MSAL 2.0 or AadHttpClient to connect SPFX Webpart to custom Web API hosted in a different tenant?

%3CLINGO-SUB%20id%3D%22lingo-sub-2144297%22%20slang%3D%22en-US%22%3EMSAL%202.0%20or%20AadHttpClient%20to%20connect%20Webpart%20to%20custom%20Web%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2144297%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWonder%20if%20someone%20can%20help%20me.%20I%20want%20to%20connect%20my%20SPFX%20web%20part%20to%20a%20custom%20web%20API%20(being%20developed%20in%20.NET%205).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20the%20recent%20changes%20to%20browsers%20(third%20party%20cookies%20limitations)%2C%20it%20seems%20like%20the%20current%20recommendation%20is%20to%20use%20MSAL%202.0%26nbsp%3B%20(authorization%20code%20flow)%20to%20authenticate%20the%20user%20with%20the%20custom%20API.%20Unfortunately%2C%20the%20examples%20I%20could%20find%20from%20Microsoft%20seem%20to%20be%20using%20the%20AadHttpClient%20class%20which%2C%20as%20far%20as%20I%20know%2C%20uses%20the%20old%20ADAL%20library%20with%20the%20implicit%20flow%20(which%20will%20cause%20problems%20with%20browsers%20blocking%20third-party%20cookies).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20seems%20to%20be%20a%20lot%20of%20conflicting%20information%20out%20there%20on%20this%20subject.%20Some%20people%20seem%20to%20be%20suggesting%20that%20we%20should%20start%20to%20use%20authorization%20code%20flow%20as%20soon%20as%20possible%20(with%20MSAL%202.0)%20others%20(%20including%20Microsoft)%20seem%20to%20be%20recommending%20using%20the%20AadHttpClient%20class.%20Also%2C%20the%20examples%20that%20I%20could%20find%20using%20MSAL%202.0%20with%20SPFX%20seem%20to%20treat%20the%20SPFX%20as%20an%20SPA%20when%20in%20fact%20it%20isn't%20(what%20is%20the%20redirect%20URL%20in%20a%20SPFX%20application).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20the%20above%20makes%20sense.%20It%20would%20be%20great%20if%20I%20could%20get%20the%20community%20views%20on%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20in%20advance.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EHugo%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

Wonder if someone can help me. I want to connect my SPFX web part to a custom web API (being developed in .NET 5).

 

Given the recent changes to browsers (third party cookies limitations), it seems like the current recommendation is to use MSAL 2.0  (authorization code flow) to authenticate the user with the custom API. Unfortunately, the examples I could find from Microsoft seem to be using the AadHttpClient class which, as far as I know, uses the old ADAL library with the implicit flow (which will cause problems with browsers blocking third-party cookies).

 

There seems to be a lot of conflicting information out there on this subject. Some people seem to be suggesting that we should start to use authorization code flow as soon as possible (with MSAL 2.0) others ( including Microsoft) seem to be recommending using the AadHttpClient class. Also, the examples that I could find using MSAL 2.0 with SPFX seem to treat the SPFX as an SPA when in fact it isn't (what is the redirect URL in a SPFX application).

 

I hope the above makes sense. It would be great if I could get the community views on this.

 

Many thanks in advance.  

 

Regards,

Hugo

0 Replies