'Is it safe to get user token from Microsoft graph API in front-end
so basically, I am checking if it is safe to expose client Id and to make API calls such as fetching user tokens and info from front-end I followed the documentation provided by Microsoft showing that I have the ability to choose single-page application as a platform I went with it. Now after realizing that this could lead to expose the Token, I am considering to change the implementation
Solution 1:[1]
Since the user has to be present in order for your application to get a token so it is considered safe. All that could happen is that user is able to get their own Access Token, which isn't a problem since they have access to all their own data anyway.
Previously the Implicit Flow was used to do this, but now the Auth Code Flow is used in MSAL 2.x, so if you are using the MSAL library to do your auth you are likely already using this new flow.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Chris Johnson |