Acquiring Token Interactively

MSAL supports acquiring tokens interactively on public clients through use of the system OS browser. MSAL will start the system browser as a separate process, and open the authorization URL. MSAL does not have control over this browser, but once the user finishes authentication, the web page is redirected in such a way such that MSAL can intercept the response from the authority.

MSAL will listen on "http://localhost:port" and intercept the code that authority sends when the user is done authenticating. MSAL cannot detect if the user navigates away or simply closes the browser. Apps using this technique are encouraged to define a timeout. We recommend a timeout of at least a few minutes to take into account cases where the user is prompted to change password or perform 2FA.

During app registration on the portal, configure http://localhost as a redirect URI.

app, err := public.New("your_client_id", public.WithAuthority("authority_url"))
if err != nil {
    // handle error
    log.Println(err)
}
result, err := app.AcquireTokenInteractive(context.Background(), []string{"scopes"}, public.withRedirectURI("redirect_uri"))
if err != nil {
    // handle error
    log.Println(err)
}

authority_url is of the format https://login.microsoftonline.com/organizations or https://login.microsoftonline.com/your_tenant_id.

WithRedirectURI("redirect_uri") is an optional parameter. If chosen to be passed, it must be of the format http://localhost:port and the port specified will be used to listen on for the code. If it is not passed, a random open port will be chosen.