Question: difference between `remix-auth-microsoft` vs `msal-node`

[cliffordfajardo]

Hey @juhanakristian, Was curious if remix-auth-microsoft serves the same purpose as the msal-node package (microsoft authentication library)?

Thanks!

[jabberwik]

They have different advantages, and you do not need both. Using remix-auth lets you quickly handle things like storing your login session and page redirections. But it currently doesn't handle the full diversity of Microsoft login options, such as Azure B2C or government clouds. It also assumes you're using Authorization Code flow. If you need the additional options in msal-node, you might not need remix-auth at all, or you might want a different strategy designed to work with it.

[bluefirepatrick]

I am using B2C and have login working in remix via msal-react. Now I need to figure out how to get bearer tokens to the loader functions for our protected api. I was thinking about looking into remix-auth but it sounds like it won't handle B2C? Can you recommend a good resource I could look at to understanding what I should do to incorporate B2C into a remix app? Thanks!

[jabberwik]

The msal-react library is designed for SPA applications, and Remix does not create SPA applications. While you will be able to get those bearer tokens to API routes (reading them off of request.headers.get("Authorization")), you won't have them for page navigations. You might be able to use remix-auth-oauth2, but I haven't tried this with B2C.

It's also worth noting that Azure B2C does not support the on-behalf-of flow, which sounds like what you're trying to do. The workaround is to have your Remix app separately authenticate to your protected API (using client credentials and the msal-node library), and to be very careful with your authorization logic.