Gathering detailed insights and metrics for @azure/msal-node
Gathering detailed insights and metrics for @azure/msal-node
Microsoft Authentication Library (MSAL) for JS
Installations
npm install @azure/msal-nodeDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=16
Node Version
18.20.6
NPM Version
10.8.2
Score
95.6
Supply Chain
99.6
Quality
95
Maintenance
100
Vulnerability
98.6
License
Releases
678
@azure/msal-node-extensions v1.5.16
msal-node-extensions-v1.5.16
Updated on Jul 01, 2025
@azure/msal-react v3.0.14
msal-react-v3.0.14
Updated on Jul 01, 2025
@azure/msal-angular v4.0.14
msal-angular-v4.0.14
Updated on Jul 01, 2025
@azure/msal-node v3.6.2
msal-node-v3.6.2
Updated on Jul 01, 2025
@azure/msal-browser v4.14.0
msal-browser-v4.14.0
Updated on Jul 01, 2025
@azure/msal-common v15.8.0
msal-common-v15.8.0
Updated on Jul 01, 2025
Languages
8
TypeScript
JavaScript
C++
PowerShell
HTML
Shell
C
SCSS
TypeScript (98.73%)
JavaScript (1.1%)
C++ (0.08%)
PowerShell (0.05%)
HTML (0.04%)
Developer
Download Statistics
Total Downloads
358,514,495
Last Day
280,014
Last Week
4,088,489
Last Month
16,775,438
Last Year
174,057,718
GitHub Statistics
MIT License
3,894 Stars
13,451 Commits
2,695 Forks
124 Watchers
187 Branches
1,161 Contributors
Updated on Jul 06, 2025
Bundle Size
288.68 kB
Minified
76.04 kB
Minified + Gzipped
Maintainers
3
Package Meta Information
Latest Version
3.6.2
Package Id
@azure/msal-node@3.6.2
Unpacked Size
2.30 MB
Size
414.45 kB
File Count
440
NPM Version
10.8.2
Node Version
18.20.6
Published on
Jul 01, 2025
Total Downloads
Cumulative downloads
Total Downloads
358,514,495
Last Day
51.9%
280,014
Compared to previous day
Last Week
0.1%
4,088,489
Compared to previous week
Last Month
-1.4%
16,775,438
Compared to previous month
Last Year
66.3%
174,057,718
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Microsoft Authentication Library for Node (msal-node)
| Getting Started | AAD Docs | Library Reference |
|---|
- About
- FAQ
- Changelog
- Prerequisites
- Installation
- Node Version Support
- Usage
- Samples
- Build Library
- Security Reporting
- License
- Code of Conduct
About
MSAL Node enables applications to authenticate users using Azure AD work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through Azure AD B2C service. It also enables your app to get tokens to access Microsoft Cloud services such as Microsoft Graph.
OAuth2.0 grant types supported:
The current version supports the following ways of acquiring tokens:
Public Client:
- Authorization Code Grant with PKCE
- Device Code Grant
- Refresh Token Grant
- Silent Flow
- Username and Password flow
Confidential Client:
- Authorization Code Grant with a client credential
- Refresh Token Grant
- Silent Flow
- Client Credential Grant
- On-behalf-of flow
- Username and Password flow
Note that the username and password flow is deprecated and support will be removed in a future release.
More details on different grant types supported by Microsoft authentication libraries in general can be found here.
Scenarios supported:
The scenarios supported with this library are:
- Desktop app that calls web APIs
- Web app that calls web APIs
- Web APIs that call web APIs
- Daemon apps
More details on scenarios and the authentication flows that map to each of them can be found here.
FAQ
See here.
Prerequisites
Before using @azure/msal-node you will need to register your app in the azure portal:
Installation
Via NPM:
1npm install @azure/msal-node
Node Version Support
MSAL Node will follow the Long Term Support (LTS) schedule of the Node.js project. Our support plan is as follows.
Any major MSAL Node release:
- Will support stable (even-numbered) Maintenance LTS, Active LTS, and Current versions of Node
- Will drop support for any previously supported Node versions that have reached end of life
- Will not support prerelease/preview/pending versions until they are stable
| MSAL Node version | MSAL support status | Supported Node versions |
|---|---|---|
| 3.x.x | Active development | 16, 18, 20, 22, 24 |
| 2.x.x | Active development | 16, 18, 20, 22 |
| 1.x.x | In maintenance | 10, 12, 14, 16, 18 |
Note: There have been no functional changes in the MSAL Node v2 release.
Usage
MSAL basics
- Understand difference in between Public Client and Confidential Clients
- Initialize a Public Client Application
- Initialize a Confidential Client Application
- Configuration
- Request
- Response
Samples
There are multiple samples included in the repository that use MSAL Node to acquire tokens. These samples are currently used for manual testing, and are not meant to be a reference of best practices, therefore use judgement and do not blindly copy this code to any production applications.
AAD samples:
- auth-code: Express app using OAuth2.0 authorization code flow.
- auth-code-pkce: Express app using OAuth2.0 authorization code flow with PKCE.
- device-code: Command line app using OAuth 2.0 device code flow.
- refresh-token: Command line app using OAuth 2.0 refresh flow.
- silent-flow: Express app using OAuth2.0 authorization code flow to acquire a token and store in the token cache, and silent flow to use tokens in the token cache.
- client-credentials: Daemon app using OAuth 2.0 client credential grant to acquire a token.
- on-behalf-of: Web application using OAuth 2.0 auth code flow to acquire a token for a web API. The web API validates the token, and calls Microsoft Graph on behalf of the user who authenticated in the web application.
- username-password: Web application using OAuth 2.0 resource owner password credentials (ROPC) flow to acquire a token for a web API.
- ElectronTestApp: Electron desktop application using OAuth 2.0 auth code with PKCE flow to acquire a token for a web API such as Microsoft Graph.
- Hybrid Spa Sample: Sample demonstrating how to use
enableSpaAuthorizationCodeto perform SSO for applications that leverage server-side and client-side authentication using MSAL Browser and MSAL Node.
B2C samples:
- b2c-user-flows: Express app using OAuth2.0 authorization code flow.
Others:
- msal-node-extensions: Uses authorization code flow to acquire tokens and the msal-extensions library to write the MSAL in-memory token cache to disk.
Build and Test
1// Install dependencies from root of repo 2npm install 3 4// Change to the msal-node package directory 5cd lib/msal-node 6 7// To run build for common package & node package 8npm run build:all 9 10// To run build only for node package 11npm run build 12 13// To run tests 14npm run test
Local Development
Below is a list of commands you will probably find useful:
npm run build:modules:watch
Runs the project in development/watch mode. Your project will be rebuilt upon changes. TSDX has a special logger for you convenience. Error messages are pretty printed and formatted for compatibility VS Code's Problems tab. The library will be rebuilt if you make edits.
npm run build
Bundles the package to the dist folder.
The package is optimized and bundled with Rollup into multiple formats (CommonJS, UMD, and ES Module).
npm run build:all
Builds both msal-common and msal-node
npm run lint
Runs eslint with Prettier
npm test, npm run test:coverage, npm run test:watch
Runs the test watcher (Jest) in an interactive mode. By default, runs tests related to files changed since the last commit. Generate code coverage by adding the flag --coverage. No additional setup needed. Jest can collect code coverage information from entire projects, including untested files.
Security Reporting
If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
License
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License.
We Value and Adhere to the Microsoft Open Source Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Moderate
5.5/10
Summary
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Affected Versions
>= 2.7.0, < 2.9.2
Patched Versions
2.9.2
Reason
30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'dev'
- Info: 'force pushes' disabled on branch 'dev'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'dev'
- Info: 'stale review dismissal' is required to merge on branch 'dev'
- Info: required approving review count is 2 on branch 'dev'
- Info: codeowner review is required on branch 'dev'
- Info: 'last push approval' is required to merge on branch 'dev'
- Info: 'up-to-date branches' is required to merge on branch 'dev'
- Info: status check found to merge onto on branch 'dev'
- Info: PRs are required in order to make changes on branch 'dev'
Reason
Found 21/25 approved changesets -- score normalized to 8
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-bump.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-bump.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-bump.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-bump.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/beachball-bump.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-bump.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/beachball-check.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-check.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-check.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue-template-bot.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/issue-template-bot.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/label.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/metadata-check.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/metadata-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/metadata-check.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/metadata-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/msal-node-confidential-client-benchmarks.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/msal-node-confidential-client-benchmarks.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/msal-node-confidential-client-benchmarks.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-audit.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/npm-audit.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-audit.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/npm-audit.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/typedoc.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/typedoc.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/typedoc.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/typedoc.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/typedoc.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/typedoc.yml/dev?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/client-credential-benchmark.yml:28
- Warn: npmCommand not pinned by hash: .github/workflows/client-credential-benchmark.yml:34
- Warn: npmCommand not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:23
- Warn: npmCommand not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:29
- Info: 0 out of 17 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 5 third-party GitHubAction dependencies pinned
- Info: 4 out of 8 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/beachball-bump.yml:20
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/beachball-check.yml:20
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/beachball-check.yml:21
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/issue-template-bot.yml:12
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/label.yml:22
- Info: topLevel 'contents' permission set to 'read': .github/workflows/beachball-bump.yml:15
- Info: topLevel 'contents' permission set to 'read': .github/workflows/beachball-check.yml:15
- Warn: no topLevel permission defined: .github/workflows/client-credential-benchmark.yml:1
- Info: found token with 'none' permissions: .github/workflows/issue-template-bot.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/label.yml:17
- Warn: no topLevel permission defined: .github/workflows/metadata-check.yml:1
- Warn: topLevel 'deployments' permission set to 'write': .github/workflows/msal-node-confidential-client-benchmarks.yml:9
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/msal-node-confidential-client-benchmarks.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/npm-audit.yml:24
- Warn: no topLevel permission defined: .github/workflows/typedoc.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Reason
27 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-m5vv-6r4h-3vj9
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-6r2x-8pq8-9489
- Warn: Project is vulnerable to: MAL-2022-2692
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6
- Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
- Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
- Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
- Warn: Project is vulnerable to: GHSA-g3ch-rx76-35fx
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
Score
5.8
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More