I have been using passport with the passport-azure_ad extension to valid an azure ad jwt token in my server api. The passport-azure-ad package is now in maintenance mode and suggests that the code has been moved to azure/msal.
So does azure/msal-node provide a function to validate the azure ad jwt access token?
I've also been struggling with this for a while.
According to Sameera Gajjarapu, a senior engineer in Azure Identity, passport-azure-ad is to be replaced by the node-token-validation library. He does not indicate however, any release date.
I suggest that you stick with passport-azure-ad until the new library is ready.
See https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/5034#issuecomment-1203450908.
To answer your question: You cannot validate access tokens with azure/msal-node.
Related
Can we use SOBO feature with OAuth 2.0 Authentication Code Grant using REST API?
We cant use JWT authentication due to system limitation, so need to explore if we can use SOBO without using legacy and JWT authentication..
Please advise the flow using REST API!!
Regards,
VG
SOBO (Send on Behalf Of) is a legacy feature that cannot be used with OAuth 2.0.
JWT (JSON Web Tokens) grant gives you the ability to impersonate, which is essentially the same thing.
IF you cannot use JWT and must use OAuth 2.0 (as DocuSign requires) then you cannot impersonate other users.
May be good to understand your requirements and limitations in more details to try to offer alternative solutions.
If you can't use jwt (why not?) Then you could have the person you want your app to act on behalf of authenticate with DocuSign via your app using the oauth authorization code grant flow. Include the extended scope to enable ongoing refresh token requests.
This will enable your app to act on behalf of the person, ongoing. (As long as you make an API refresh request once a month or more often.)
I am doing a project with microservices. For login and sign up service I have used Nodejs. I used express, bcrypt, passport and it is working. I am planning to use JWT now.
What mistake I did is I think I am working in backwards. Which pattern would be best for login and sign up now? Is access token will be perfect?
Can anything added extra?
I will suggest that you should use OAuth protocol for authentication and authorization. In my past projects, we were using Auth0 service (paid one). There are several other option that support OAuth one like Azure AD etc.. It support JWT token as well.
I implemented Microsoft login by referring to this Documentation. I am able to successfully get the Access token and call the Microsoft Graph API.
But when I created the App registration in the Azure portal. I came across the "Certificates and Secrets" Tab.
So I created a sample secret for my demo application as mentioned in the below screenshot.
But I am not able to find the exact use Case of this Secret variable. Is it used to authorize our Backend Node-JS server (Apis) or anything like that?.
It will be very helpful if anyone provided a sample use case with an example or any documentation reference. As I am completely new to Azure AD.
Thanks in Advance
The client secret is the password of the service principal. Using a certificate would be an alternative way to authenticate the SP.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#authentication-two-options
As per MS Document,
The application needs a client secret to prove its identity when
requesting a token.
This will help the application to be more secure.
Please refer Auth Code flow as an example reference. Here in first we need to request for a code in a get request and after receiving the code from the identity server then we request for an access token in a post request by adding client secret and code in the request. This allows the third person to can't figure out what the secret and code is, hence he can't bypass the security.
I'm currently working on an outlook add-in using the MS Graph API. In this add-in, I'm using azuread-openidconnect passport plug-in to authenticate the users using the OIDC strategy on the Azure-AD V2 endpoint.
I'm running into the typical issue where my access token is expired, and I need to use my refresh token to get an up to date access token. From the docks (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code) I can easily check and refresh the token manually. However, I assume that this functionality has been baked into the passport plug-in. If so how do I go about checking and refreshing the token with the plug-in?
There's no method in passport-azure-ad for that. Passport's role is to authorize the initial access token, which can then be used to access APIs (including the refresh token API) at the provider.
So you may need to refresh these tokens by yourself, or by using a separate library like passport-oauth2-refresh.
I have a REST API, written with express directly. Nowhere in it do I use session, and authentification is for now done using JWT.
However, I dislike having to handle, save and secure user's credentials, that is when I heard about Azure Active Directory.
Adding passport to my app was easy enought, but that's when trouble started.
First, I had to search what strategy I needed, and all of them seems to require the server to maintain sessions/remember who is logged in, all the while using JWT internally. That seems contradictory, JWT is supposed to remove the need of maintaining session.
Finally, I found this MS example which use the Bearer strategy without session.
After setting it up (changing the config file for the right tenant, client ID, changing the routes for a test app more representative of my API), I tried to use them. The protection work well since I am indeed "Unauthorized". But how do I get a valid token to send?
The MSDN guide that use that quickstart don't mention it at all, just redirecting to the AAD library for Android or iOS, implicitely telling me to develop a test app in another language when I just want a crude tool to test if my test server work at all!
That is especially frustrating since I am pretty sure it is "just" a series of HTTP(S) request on the tenant, and the call to the api with the token attached, but I can't find anything to do just that.
/!\: I know asking for something as vague as "How can I do that" isn't a good question, and this question isn't one. What I am asking is why I couldn't find some tools like POSTMan that implement OAuth and allow to quickly test and debug a OAuth protected API. What are the reason that push MSDN to tell me to write a custom tool myself instead of providing a barebone one?
The code sample you mentioned in the post is using the Azure AD V2.0 endpoint. We can use OAuth 2.0 code grant and client credentials flows to acquire the token from this endpoint.
To compose the OAuth 2.0 request directly you can refer the links below:
v2.0 Protocols - OAuth 2.0 Authorization Code Flow
Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow
In addition, the access tokens issued by the v2.0 endpoint can be consumed only by Microsoft Services. Your apps shouldn't need to perform any validation or inspection of access tokens for any of the currently supported scenarios. You can treat access tokens as completely opaque. They are just strings that your app can pass to Microsoft in HTTP requests(refer here).
If you want to protect the custom web API with Azure AD, you can use the Azure AD v1.0 endpoint.
For getting a valid token to send to your API, you'll need to do an auth request to login.microsoftonline.com and get an access token (in the JWT format). Then you can send this token to your api in the http body: "Bearer ey...".
If you want a full sample with a client app that hits that API sample you tried:
Dashboard w/ all the samples for Azure AD Converged Apps
Simple Windows Desktop App
Angular SPA
Node Web API