search

AzureAD / passport-azure-ad

The code for Passport Azure AD has been moved to the MSAL.js repo. Please open any issues or PRs at the link below.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/passport-azure-ad
Other
420 stars 177 forks source link

Protect routes using azuread-openidconnect strategy #497

Closed AnvarNazar closed 3 years ago

AnvarNazar commented 4 years ago

I am trying to protect API routes using the azuread-openidconnect strategy. I have an outlook addin frontend on angular. It authenticates the users and I receives an accessToken. I am trying to protect the routes in the API like below. I am sending the accessToken to this route using the http header Autherization: Bearer + accessToken. But it doesn't work and always redirect me to /auth for login.

app.post('/test', passport.authenticate('azuread-openidconnect', { session: true, failureRedirect: '/auth' }), (request, response, next) => {
    response.status(200)
        .json({
            message: 'SUCCESS',
        });
});

Or do I require the bearer strategy for this? If then how can get the bearer token after the login? I am only receiving the accessToken after authenticating the user.

georgejdli commented 4 years ago

I'm trying to figure out the same thing.

From what I can tell the OIDCStrategy relies on using sessions to protect API routes

I'm trying a session free approach similar to yours. If you use "responseType: 'code id_token'" for the OIDCStrategy config and enable the implicit ID Token option in your Azure App Registration you should get an authorization bearer token back.

Then I'm assuming you need to use the BearerStrategy to protect your API routes after the user logins in.

Edit: Nvm I just tried this. Using the access token I got from the OIDCStratgey flow I tried to validate that with the BearerStrategy and got a JWT verify error: "invalid signature"

update: So I think I got this working. When you request the access token you need to specify a custom scope from your App Registration to force Azure AD to give you a token with the right "aud" claim (in my case it was my AppReg ID). custom scope: <app reg id>/<your custom scope name> For the frontend I'm using msal-browser (which is currently in beta) Then that token should pass the BearerStrategy JWT verify function.

pkanher617 commented 3 years ago

Appears to be resolved. We are currently in the design phase of a new version of this library, which can be tracked here. The timeline for the new library will be uploaded to our MSAL JS repo. Please open any new issues in this repository.