Here's my understanding of MSAL.js. It redirects to the Active directory URL-plus-clientID where Active D shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user back to my home page URL-plus-token. MSAL.Js extracts the token from the URL.
I just don't understand why Swagger can't do the same thing.
Any good solutions for Swagger? My boss is NOT happy with me for having exposed a client secret.