/** * MSAL (Microsoft Authentication Library) configuration for Azure AD SSO. * Uses PKCE flow by default for SPA security. */ import { Configuration, LogLevel, PopupRequest } from '@azure/msal-browser'; // Client ID used for both MSAL config and API token requests const CLIENT_ID = import.meta.env.VITE_AZURE_CLIENT_ID || ''; // MSAL configuration - uses PKCE by default for SPAs export const msalConfig: Configuration = { auth: { clientId: CLIENT_ID, authority: `https://login.microsoftonline.com/${import.meta.env.VITE_AZURE_TENANT_ID || 'common'}`, redirectUri: import.meta.env.VITE_AZURE_REDIRECT_URI || window.location.origin + import.meta.env.BASE_URL, postLogoutRedirectUri: window.location.origin + import.meta.env.BASE_URL, }, cache: { cacheLocation: 'localStorage', // Persists auth state across browser tabs/refresh storeAuthStateInCookie: false, // Not needed for modern browsers }, system: { loggerOptions: { loggerCallback: (level, message, containsPii) => { if (containsPii) return; const prefix = '[MSAL]'; switch (level) { case LogLevel.Error: console.error(prefix, message); break; case LogLevel.Warning: console.warn(prefix, message); break; case LogLevel.Info: console.info(prefix, message); break; case LogLevel.Verbose: console.debug(prefix, message); break; } }, logLevel: LogLevel.Info, // Set to Info for debugging MSAL activity }, }, }; // Scopes for initial login (ID token) export const loginRequest: PopupRequest = { scopes: ['openid', 'profile', 'email'], }; // Scopes for API calls - request token for OUR app, not Graph // Using the client ID as scope requests an access token for this app export const apiTokenRequest = { scopes: [`${CLIENT_ID}/.default`], };