More Secure JavaScript Single-Page Applications with MSAL 2.0 and OAuth 2.0 Auth Code Flow with PKCE

For years, we've used version 1 of the Microsoft Authentication Library for JavaScript to authenticate our single-page applications to Azure Active Directory. But MSAL 1 uses the OAuth 2.0 Implicit Grant Flow, which can be exploited by a malicious actor under certain circumstances. The newly released MSAL 2.0 uses the Auth Code Flow with PKCE (Proof Key for Code Exchange), which is less susceptible to malicious code intercepting your access tokens. And even though the two protocols are very different, upgrading your JavaScript code is actually quite easy! This video explores a few of the different OAuth flows, using a fun analogy of a bank protecting valuables in a safe deposit box. The source code referenced in this video can be found here: github.com/jaspecla/msal-vue-demo