Does MSAL Use PKCE Flow for React-based Outlook Add-ins?
Hi Microsoft Community,
I’m developing a React.js-based Outlook add-in and am using the MSAL library for implementing OAuth 2.0. The add-in interacts with Microsoft Graph API after getting access token from MSAL.js.
While configuring the authentication, I want to ensure that the implementation follows the most secure flow, specifically the Authorization Code Flow with PKCE.
Queries:
- Does MSAL (e.g., msal-browser) implement PKCE by default when using the authorization code flow in a React-based add-in?
- Are there any additional configurations required in the Azure AD app registration (e.g., enabling PKCE or specific redirect URI formats) to ensure that PKCE is used within the context of an Outlook Add-in?
I’ve referred to the MSAL documentation mentioned link below and understand that PKCE is generally recommended for SPAs, but I’d like clarification on how it integrates specifically with Outlook Add-ins.
( https://zcusa.951200.xyz/en-us/entra/identity-platform/msal-authentication-flows )
( https://zcusa.951200.xyz/en-us/entra/identity-platform/scenario-spa-app-registration )