Skip to content

Errors in the msal-node auth-code example #8127

New issue
New issue
Open
Open
Errors in the msal-node auth-code example#8127
Labels
Needs: Attention 👋Awaiting response from the MSAL.js teambug-unconfirmedA reported bug that needs to be investigated and confirmedconfidential-clientIssues regarding ConfidentialClientApplicationsmsal-nodeRelated to msal-node packagequestionCustomer is asking for a clarification, use case or information.
@d28b

Description

@d28b
d28b
opened on Nov 4, 2025

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

3.8.1

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

The code example does not work as it is. The following issues are in the code and/or in the documentation:

  1. The code passes process.env.AZURE_CLIENT_SECRET as client secret. The documentation mentions to put CLIENT_SECRET (instead of AZURE_CLIENT_SECRET) into the .env file.
  2. The "MSAL Usage" comment block mentions to use the accessToken. However, for small web apps the idToken is of interest, which isn't mentioned anywhere.
  3. The SESSION_SECRET is not mentioned in the documentation. For people not familiar with "express", this is a show-stopper.
  4. When the "knownAuthorities" key in the configuration is missing, the example fails with a cryptic error message. (The value passed to .filter(...), called within a catch block, which catches the actual error message and shows a generic message instead.) Setting "knownAuthorities" to an empty array [] either in the configuration file or in index.js resolves the issue.
  5. As a side note, authCodeUrlParameters is persistent across requests, and modified by each request (instead of being treated as an immutable configuration value). While this is certainly fine in a piece of example code, it is nevertheless bad practice.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

{
    "authOptions":
        {
            "clientId": "935a5408-96e6-4170-9498-6fe1f129c07d",
            "authority": "https://login.microsoftonline.com/1892f70b-2911-446b-824f-d0f8eaca9e98",
            "knownAuthorities": []
        },
    "request":
    {
        "authCodeUrlParameters": {
            "scopes": ["user.read"],
            "redirectUri": "https://verify.viereck.ch/redirect"
        },
        "tokenRequest": {
            "redirectUri": "https://verify.viereck.ch/redirect",
            "scopes": ["user.read"]
        }
    },
    "resourceApi":
    {
        "endpoint": "https://graph.microsoft.com/v1.0/me"
    }
}

Relevant Code Snippets

Mentioned above.

Reproduction Steps

Mentioned in the text above.

Expected Behavior

A working example.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Attention 👋Awaiting response from the MSAL.js teambug-unconfirmedA reported bug that needs to be investigated and confirmedconfidential-clientIssues regarding ConfidentialClientApplicationsmsal-nodeRelated to msal-node packagequestionCustomer is asking for a clarification, use case or information.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions