ADAL: Where do I view the resource ID's? - azure

I'm new to using adal-node npm package.
In the example it mentions:
var resource = '00000002-0000-0000-c000-000000000000';
Where is this ID from? From my use-case, I just want to batch update users in my AD.

A resource is a service/app/api for which you ask an Identity provider like Azure AD to issue tokens for. You can also you the AppId (client Id) as a resource as well
'00000002-0000-0000-c000-000000000000' is the client Id of Azure AD Graph API (https://graph.windows.net/ ). This Api is being deprecated in favor of Microsoft Graph "https://graph.microsoft.com", which is the resource you should use.

The value of the resource is a URI that identifies the resource for which the token is valid.
If you want to use Microsoft Graph API to update your users in your AD, you should use https://graph.microsoft.com for the resource.
You can refer to this sample. You will get the graph client to update the users.
const AuthenticationContext = require('adal-node').AuthenticationContext;
const MicrosoftGraph = require("#microsoft/microsoft-graph-client");
const authorityHostUrl = 'https://login.windows.net';
const tenantName = ''; //azure active directory tenant name. ie: name.onmicrosoft.com
const authorityUrl = authorityHostUrl + '/' + tenantName;
const applicationId = ''; //application id for registered app
const clientSecret = ''; //azure active directory registered app secret
const resource = "https://graph.microsoft.com"; //URI of resource where token is valid
const context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCredentials(
resource,
applicationId,
clientSecret,
function(err, tokenResponse) {
if (err) {
console.log('well that didn\'t work: ' + err.stack);
} else {
let client = MicrosoftGraph.Client.init({
defaultVersion: 'v1.0',
authProvider: (done) => {
done(null, tokenResponse.accessToken);
},
});
client
.api('/users')
.get((err, result) => {
console.log(result, err);
});
}
});

Related

Why is Azure KeyVault getSecret returning Promise <pending>?

I followed the Microsoft tutorial on this link: https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-node but I want to have them as separate functions instead of putting them into one main function.
This is what I have, setSecret works fine but getSecret is returning Promise ?
Both getSecret and setSecret return a Promise because they are asynchronous methods that need to make an HTTP request to the Key Vault service.
If you were to try the following:
const secretPromise = client.setSecret(secretName, secretValue);
You'll notice that secretPromise is a Promise<KeyVaultSecret> as per the API documentation
This allows you to wait for the secret to be set and get back the newly set secret:
const secret = await client.setSecret(secretName, secretValue);
Be mindful that by not waiting for the setSecret call to succeed you will be unable to:
Get the newly created secret (unless you get lucky with timing)
Be notified and handle any errors if setSecret fails (you can verify this by creating the secret client with an invalid Key Vault URL and running both functions - azureSetSecret will claim success but azureGetSecret will throw an error)
I'm not sure if you are trying to find a way which allows you to obtain key vault secrets in nodejs. As the quick start sample you mentioned above, microsoft provides a async method await client.getSecret(secretName) for nodejs.
Here I'd like to recommend you using rest api to access key vault secret. When calling the api, you need to generate an access token as the request header, you can refer to this sample or take a look at my test project below.
calling api:
const axios = require('axios');
const auth = require('./credenticalflow');
let vaultName = 'key vault name';
let keyName = 'key name';
let accesstoken = '';
let secret = '';
init();
async function init(){
const authResponse = await auth.getToken(auth.tokenRequest);
accesstoken = authResponse.accessToken;
getsecret(vaultName,keyName,accesstoken);
console.log("22222222:"+secret);
}
function getsecret(vaultName,keyName,token){
console.log('the token is :'+ token);
axios.get('https://'+vaultName+'.vault.azure.net/secrets/'+keyName+'/7d4b682f5c9a41578602aa5b86611aa7?api-version=7.1',{
headers: {
'Authorization': 'Bearer '+token
}
})
.then(function (response) {
// handle success
secret = response.data.value;
console.log("1111111:"+secret);
})
.catch(function (error) {
// handle error
console.log('error');
});
}
generate access token:
const msal = require('#azure/msal-node');
const msalConfig = {
auth: {
clientId: 'azure ad app cilent id',
authority: 'https://login.microsoftonline.com/<your tenant name such as xx.onmicrosoft.com>',
clientSecret: 'client secret for the azure ad app',
}
};
const tokenRequest = {
scopes: ['https://vault.azure.net/.default'],
};
const cca = new msal.ConfidentialClientApplication(msalConfig);
async function getToken(tokenRequest) {
return await cca.acquireTokenByClientCredential(tokenRequest);
}
module.exports = {
tokenRequest: tokenRequest,
getToken: getToken
};

Invalid token generating from service-principal and secret based login method

Configured service principal and trying to use the token received from the method to hit customer insights API.
https://api.ci.ai.dynamics.com/v1/instances/{instanceId}/profilestore/stateinfo
Above API requires bearer token as header for authorization.
Token receiving from auth response is invalid and not accepting by Customer Insights API.
msRestNodeAuth.loginWithServicePrincipalSecretWithAuthResponse(clientId, secret,
tenantId).then((authres) => {
console.dir(authres, { depth: null })
}).catch((err) => {
console.log(err);
});
Also, tried the another method of getting access token using this endpoint
Still the token we are receiving are not getting accepted by customer insights.
'https://login.microsoftonline.com/'tenantid'/oauth2/v2.0/token';
Try to follow this article: https://learn.microsoft.com/en-us/dynamics365/customer-insights/audience-insights/apis
If you request the token with client credentials flow, it's need to add the application permission.
You could test in Postman using the scope(resource) https://azurecustomerinsights.com/.
POST https://login.windows.net/{tenant-id}/oauth2/token
Content-Type: application/x-www-form-urlencoded
client_id={}
&resource=https://azurecustomerinsights.com/
&client_secret={}
&grant_type=client_credentials
Server to Server via Client Credentials, see here:
var adal = require('adal-node').AuthenticationContext;
var authorityHostUrl = 'https://login.windows.net';
var tenant = 'myTenant';
var authorityUrl = authorityHostUrl + '/' + tenant;
var clientId = 'yourClientIdHere';
var clientSecret = 'yourAADIssuedClientSecretHere'
var resource = 'https://azurecustomerinsights.com/';
var context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCredentials(resource, clientId, clientSecret, function(err, tokenResponse) {
if (err) {
console.log('well that didn\'t work: ' + err.stack);
} else {
console.log(tokenResponse);
}
});

How to generate Authorization Bearer token using client ID , tenant Id, Client secret of azure AD using NodeJs for calling REST API?

I am able to generate the token in Postman: using the following details.
tenant_id: 09872XXXXXXXXXXXXXXXXXX
grant_type: client_credentials
client_id: d7b7e-ighewiojwoei9-868767
client_secret:adat-XXXXXX-diupi825tfsq38XXXXX
resource: https://management.azure.com/
Want to achieve the same using NodeJs?
What you are using is the Azure AD client credential flow v1.0, to do this in node.js, you could use the ADAL for Node.js, change the resource to https://management.azure.com/, the applicationId is the client_id you used.
var AuthenticationContext = require('adal-node').AuthenticationContext;
var authorityHostUrl = 'https://login.windows.net';
var tenant = 'myTenant.onmicrosoft.com'; // AAD Tenant name.
var authorityUrl = authorityHostUrl + '/' + tenant;
var applicationId = 'yourApplicationIdHere'; // Application Id of app registered under AAD.
var clientSecret = 'yourAADIssuedClientSecretHere'; // Secret generated for app. Read this environment variable.
var resource = 'https://management.azure.com/'; // URI that identifies the resource for which the token is valid.
var context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCredentials(resource, applicationId, clientSecret, function(err, tokenResponse) {
if (err) {
console.log('well that didn\'t work: ' + err.stack);
} else {
console.log(tokenResponse);
}
});

How to call Azure Client from Node via https request?

I have VM up and running in Azure. I wanted to call Azure VM from Node. I am totally unware about the get API for Azure. So how can this be achieved?
I have tenantID, ClientID, Client Secret and subscription id.
Also is there any thing unique I can get from running VM which will be same if I create another VM on Azure?
Try this considering you have the values in to access vault in environment variable to get secrets from azure vault:
var _ = require('lodash'),
msRestAzure = require('ms-rest-azure'),
KeyVault = require('azure-keyvault'),
AuthenticationContext = require('adal-node').AuthenticationContext,//Utility function to get key vault client
function getKeyVaultClient() {
// service principal details to access the vault
var clientId = process.env['CLIENT_ID']; // service principal
var domain = process.env['DOMAIN']; // tenant id
var secret = process.env['APPLICATION_SECRET'];
return new Promise(function (resolve, reject) {
msRestAzure.loginWithServicePrincipalSecret(clientId, secret, domain, function (err) {
if (err) {
return reject(err);
}
// authenticate with key vault with a service principal
var kvCredentials = new KeyVault.KeyVaultCredentials(authenticator);
keyVaultClient = new KeyVault.KeyVaultClient(kvCredentials);
return resolve(keyVaultClient);
});
})
}
function authenticator(challenge, callback) {
// service principal details to access the vault
var clientId = process.env['CLIENT_ID']; // service principal
var secret = process.env['APPLICATION_SECRET'];
// Create a new authentication context.
var context = new AuthenticationContext(challenge.authorization);
// Use the context to acquire an authentication token.
return context.acquireTokenWithClientCredentials(challenge.resource, clientId, secret, function (err, tokenResponse) {
if (err) {
return callback(err);
}
// Calculate the value to be set in the request's Authorization header and resume the call.
var authorizationValue = tokenResponse.tokenType + ' ' + tokenResponse.accessToken;
return callback(null, authorizationValue);
});
}
var vaultUri = 'https://' + process.env['VAULT_NAME'] + '.vault.azure.net/secrets/' + key;
getKeyVaultClient().then(function (vaultClient) {
vaultClient.getSecret(vaultUri,
function (err, result) {
if (err) {
return reject(err);
} else {
return resolve(result.value);
}
});
}).catch(function (err) {
reject(err);
})
You can have a look at the official documentation and examples on how to access keys and secrets using the Rest API's exposed by azure.

Sign in to Nodejs web app, using Azure AD

I'm trying to figure out how you can authenticate users using Azure AD. In order to experiment, I tried the example from Microsoft, found at https://github.com/Azure-Samples/active-directory-node-webapp-openidconnect.
I've set up an Active Directory in Azure, and added a new application called test with add id uri: http://testmagnhalv.
Now, when I run the server, following the instructions in the readme, I get redirected to login.microsoftonline.com and promted to log in. But when I provide username/pw, I get redirected back to the login page again.
I suspect the problem is that I don't set the variables in the config.json correctly, but I'm having a hard time finding documentation for what values need to be set.
Anyone got any experience with this example?
At first you must to add your app to active directory then use ADAL (Active Directory Authentication Library) for nodeJS
npm install adal-node
prepare your app for authentication referencing azure AD App registration values.
var AuthenticationContext = require('adal-node').AuthenticationContext;
var clientId = 'yourClientIdHere';
var clientSecret = 'yourAADIssuedClientSecretHere'
var redirectUri = 'yourRedirectUriHere';
var authorityHostUrl = 'https://login.windows.net';
var tenant = 'myTenant';
var authorityUrl = authorityHostUrl + '/' + tenant;
var redirectUri = 'http://localhost:3000/getAToken';
var resource = '00000002-0000-0000-c000-000000000000';
var templateAuthzUrl = 'https://login.windows.net/' +
tenant +
'/oauth2/authorize?response_type=code&client_id=' +
clientId +
'&redirect_uri=' +
redirectUri + '
&state=<state>&resource=' +
resource;
Now you need to get authorized with the token.
function createAuthorizationUrl(state) {
return templateAuthzUrl.replace('<state>', state);
}
// Clients get redirected here in order to create an OAuth authorize url and redirect them to AAD.
// There they will authenticate and give their consent to allow this app access to
// some resource they own.
app.get('/auth', function(req, res) {
crypto.randomBytes(48, function(ex, buf) {
var token = buf.toString('base64').replace(/\//g,'_').replace(/\+/g,'-');
res.cookie('authstate', token);
var authorizationUrl = createAuthorizationUrl(token);
res.redirect(authorizationUrl);
});
});
And finally handle the auth redirection
// After consent is granted AAD redirects here. The ADAL library is invoked via the
// AuthenticationContext and retrieves an access token that can be used to access the
// user owned resource.
app.get('/getAToken', function(req, res) {
if (req.cookies.authstate !== req.query.state) {
res.send('error: state does not match');
}
var authenticationContext = new AuthenticationContext(authorityUrl);
authenticationContext.acquireTokenWithAuthorizationCode(
req.query.code,
redirectUri,
resource,
clientId,
clientSecret,
function(err, response) {
var errorMessage = '';
if (err) {
errorMessage = 'error: ' + err.message + '\n';
}
errorMessage += 'response: ' + JSON.stringify(response);
res.send(errorMessage);
}
);
});
You can find the full example, and more here in ADAL for nodeJS repository:
Windows Azure Active Directory Authentication Library (ADAL) for Node.js
This is a simple but full demo taken from GitHub ADAL repository
website-sample.js
'use strict';
var express = require('express');
var logger = require('connect-logger');
var cookieParser = require('cookie-parser');
var session = require('cookie-session');
var fs = require('fs');
var crypto = require('crypto');
var AuthenticationContext = require('adal-node').AuthenticationContext;
var app = express();
app.use(logger());
app.use(cookieParser('a deep secret'));
app.use(session({secret: '1234567890QWERTY'}));
app.get('/', function(req, res) {
res.redirect('login');
});
/*
* You can override the default account information by providing a JSON file
* with the same parameters as the sampleParameters variable below. Either
* through a command line argument, 'node sample.js parameters.json', or
* specifying in an environment variable.
* {
* "tenant" : "rrandallaad1.onmicrosoft.com",
* "authorityHostUrl" : "https://login.windows.net",
* "clientId" : "624ac9bd-4c1c-4686-aec8-e56a8991cfb3",
* "clientSecret" : "verySecret="
* }
*/
var parametersFile = process.argv[2] || process.env['ADAL_SAMPLE_PARAMETERS_FILE'];
var sampleParameters;
if (parametersFile) {
var jsonFile = fs.readFileSync(parametersFile);
if (jsonFile) {
sampleParameters = JSON.parse(jsonFile);
} else {
console.log('File not found, falling back to defaults: ' + parametersFile);
}
}
if (!parametersFile) {
sampleParameters = {
tenant : 'rrandallaad1.onmicrosoft.com',
authorityHostUrl : 'https://login.windows.net',
clientId : '624ac9bd-4c1c-4686-aec8-b56a8991cfb3',
username : 'frizzo#naturalcauses.com',
password : ''
};
}
var authorityUrl = sampleParameters.authorityHostUrl + '/' + sampleParameters.tenant;
var redirectUri = 'http://localhost:3000/getAToken';
var resource = '00000002-0000-0000-c000-000000000000';
var templateAuthzUrl = 'https://login.windows.net/' + sampleParameters.tenant + '/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&state=<state>&resource=<resource>';
app.get('/', function(req, res) {
res.redirect('/login');
});
app.get('/login', function(req, res) {
console.log(req.cookies);
res.cookie('acookie', 'this is a cookie');
res.send('\
<head>\
<title>FooBar</title>\
</head>\
<body>\
Login\
</body>\
');
});
function createAuthorizationUrl(state) {
var authorizationUrl = templateAuthzUrl.replace('<client_id>', sampleParameters.clientId);
authorizationUrl = authorizationUrl.replace('<redirect_uri>',redirectUri);
authorizationUrl = authorizationUrl.replace('<state>', state);
authorizationUrl = authorizationUrl.replace('<resource>', resource);
return authorizationUrl;
}
// Clients get redirected here in order to create an OAuth authorize url and redirect them to AAD.
// There they will authenticate and give their consent to allow this app access to
// some resource they own.
app.get('/auth', function(req, res) {
crypto.randomBytes(48, function(ex, buf) {
var token = buf.toString('base64').replace(/\//g,'_').replace(/\+/g,'-');
res.cookie('authstate', token);
var authorizationUrl = createAuthorizationUrl(token);
res.redirect(authorizationUrl);
});
});
// After consent is granted AAD redirects here. The ADAL library is invoked via the
// AuthenticationContext and retrieves an access token that can be used to access the
// user owned resource.
app.get('/getAToken', function(req, res) {
if (req.cookies.authstate !== req.query.state) {
res.send('error: state does not match');
}
var authenticationContext = new AuthenticationContext(authorityUrl);
authenticationContext.acquireTokenWithAuthorizationCode(req.query.code, redirectUri, resource, sampleParameters.clientId, sampleParameters.clientSecret, function(err, response) {
var message = '';
if (err) {
message = 'error: ' + err.message + '\n';
}
message += 'response: ' + JSON.stringify(response);
if (err) {
res.send(message);
return;
}
// Later, if the access token is expired it can be refreshed.
authenticationContext.acquireTokenWithRefreshToken(response.refreshToken, sampleParameters.clientId, sampleParameters.clientSecret, resource, function(refreshErr, refreshResponse) {
if (refreshErr) {
message += 'refreshError: ' + refreshErr.message + '\n';
}
message += 'refreshResponse: ' + JSON.stringify(refreshResponse);
res.send(message);
});
});
});
app.listen(3000);
console.log('listening on 3000');
https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/sample/website-sample.js
As I known, I suggest you can follow the two documents below as references to get start.
Web App Sign In & Sign Out with Azure AD https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-openidconnect-nodejs/
Integrating Azure AD into a NodeJS web application https://azure.microsoft.com/en-us/documentation/samples/active-directory-node-webapp-openidconnect/
For developing easier, you can try to use the node package passport-azure-ad(https://github.com/AzureAD/passport-azure-ad) that is the one strategy of passport (http://passportjs.org/) for NodeJS to implement your needs.
I had similar problem and able to resolve it. After googling i made two changes in config.js.
issuer value set to false.
responseMode value changed from query to form_post.
config.js :
exports.creds = {
issuer : false,
realm : "<TENANT>",
returnURL: 'http://localhost:3000/auth/openid/return',
identityMetadata: 'https://login.microsoftonline.com/common/.well-known/openid-configuration', // For using Microsoft you should never need to change this.
clientID: '<CLIENT_ID>',
clientSecret: '<CLIENT_SECRET>', // if you are doing code or id_token code
skipUserProfile: true, // for AzureAD should be set to true.
responseType: 'id_token code', // for login only flows use id_token. For accessing resources use `id_token code`
responseMode: 'form_post', // For login only flows we should have token passed back to us in a POST
};

Resources