Does MSAL Use PKCE Flow for React-based Outlook Add-ins?

Suraj Sinha 5 Reputation points
2024-12-24T10:15:32.8166667+00:00

Hi Microsoft Community,

I’m developing a React.js-based Outlook add-in and am using the MSAL library for implementing OAuth 2.0. The add-in interacts with Microsoft Graph API after getting access token from MSAL.js.

While configuring the authentication, I want to ensure that the implementation follows the most secure flow, specifically the Authorization Code Flow with PKCE.

Queries:

  1. Does MSAL (e.g., msal-browser) implement PKCE by default when using the authorization code flow in a React-based add-in?
  2. Are there any additional configurations required in the Azure AD app registration (e.g., enabling PKCE or specific redirect URI formats) to ensure that PKCE is used within the context of an Outlook Add-in?

I’ve referred to the MSAL documentation mentioned link below and understand that PKCE is generally recommended for SPAs, but I’d like clarification on how it integrates specifically with Outlook Add-ins.

( https://learn.microsoft.com/en-us/entra/identity-platform/msal-authentication-flows )

( https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-app-registration )

Outlook
Outlook
A family of Microsoft email and calendar products.
4,218 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,657 questions
Office Development
Office Development
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Development: The process of researching, productizing, and refining new or existing technologies.
4,102 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,362 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,648 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.