Core Library

MSAL.js (@azure/msal-browser)

Wrapper Library

Not Applicable

Public or Confidential Client?

Public

Description

Currently CAE can be implemented in the Front-End by silently renewing a token every single time it is needed, if it fails with the error that an Interaction is required, you should use a pop-up or redirect that forces the user to sign in again.

HOWEVER - The previous token is technically still valid for authenticating towards your back-end, because it hasn't technically expired and it's parameters haven't changed and will still pass the basic checks.
Is there a way for a back-end application to check the following:
Check if the token is really still valid, because it could've been revoked by Azure because the password was changed or a session was revoked.

If no, then in my opinion it should be possible for a back-end application to verify CAE against Azure (an endpoint perhaps to see if there were any security events for a user ID since X point in time?)