Private Readonly _destroying$Private _initPrivate Readonly _initializationProtected configProtected isPrivate msalReadonly typeProvider type identifier Must be implemented by concrete providers
Protected userProtected userStatic Readonly PROVIDER_Contains the initial path from window.location.pathname before any work was done by auth services
Contains the initial search/query string from window.location.search before any work was done by auth services
Private _performClassify an error into standard error type
Converts provider-specific errors into semantic categories. Eliminates need for consumers to check error.name or error types.
const authError = this.authBase.classifyError(err);
if (authError.type === AuthErrorType.TOKEN_EXPIRED) {
this.showMessage(authError.userMessage);
}
Protected classifyClassify MSAL-specific errors into semantic types
Maps MSAL error classes to AuthErrorType enum
Private ensureProtected extractProtected extractExtract complete token info from MSAL
Maps MSAL's AuthenticationResult to StandardAuthToken
Protected extractExtract user info from MSAL account
Maps MSAL's AccountInfo structure to StandardUserInfo
Get ID token string (primary token method)
This is the clean abstraction - no provider-specific logic needed!
Replaces the old pattern of: claims?.__raw || claims?.idToken
const token = await this.authBase.getIdToken();
if (token) {
setupGraphQLClient(token, apiUrl);
}
Get profile picture URL from auth provider
Returns the user's profile picture URL if available from the auth provider. This abstracts away provider-specific logic:
Promise resolving to image URL or null if not available
const pictureUrl = await this.authBase.getProfilePictureUrl();
if (pictureUrl) {
this.userAvatar = pictureUrl;
}
Protected getGet profile picture URL from Microsoft Graph API
MSAL requires fetching the photo from Microsoft Graph. This is the key advantage of encapsulation - consumers don't need to know about Graph API, they just call getProfilePictureUrl()!
Get complete token information
Returns full token details including expiration and scopes. Use this when you need more than just the token string.
Get user info as Observable stream
Returns standardized user info, hiding provider-specific claim structures. No more need for consumers to merge claims or check provider-specific fields!
Protected handleHandle session expiry by redirecting to Microsoft login
This method is called by the base class when silent token refresh fails with INTERACTION_REQUIRED error. It redirects to Microsoft login and never returns. After authentication, the app will reload and re-initialize with a fresh token.
Protected loginPrivate mapMSALAccountMap MSAL AccountInfo to StandardUserInfo
Refresh authentication token
Attempts to obtain a fresh authentication token using the provider's refresh mechanism. If silent refresh fails due to session expiry, the provider will handle re-authentication automatically (which may involve redirecting to the auth provider's login page).
Returns StandardAuthToken on success, or throws on complete failure.
IMPORTANT: If the provider requires interactive re-authentication (redirect or popup), this method may never return. The app will reload after authentication completes and re-initialize with a fresh token.
Promise resolving to StandardAuthToken or throws on failure
const token = await this.authBase.refreshToken();
return token.idToken; // Always succeeds or throws
Protected refreshRefresh token using MSAL's silent token acquisition
Uses acquireTokenSilent with forceRefresh to get new tokens
Protected updateProtected updateUpdate user info
Subclasses should call this when user info is retrieved or updated. This automatically updates the email stream as well.
Static angularFactory function to provide Angular dependencies required by MSAL Stored as a static property for the factory to access without instantiation
MSAL (Microsoft Authentication Library) provider implementation - v3.0.0
Implements the abstract methods from MJAuthBase to hide MSAL-specific details. The key abstraction is that MSAL stores the JWT in AuthenticationResult.idToken, but consumers never need to know this detail.