Add Parameters to get access_token (authorizationCallback)

[aryascripts]

Hi,

I am currently using this library for authenticating with Azure Active Directory, to authenticate with permissions to a protected resource. I am currently able to get access_token from Microsoft Azure, but unable to add more parameters to the request to get access tokens.

On Azure's documentation for using Open ID, here is the URL needed to get access tokens: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code#token-acquisition

// Line breaks for legibility only

GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e        // Your registered Application Id
&response_type=id_token+code
&redirect_uri=http%3A%2F%2Flocalhost%3a12345          // Your registered Redirect Uri, url encoded
&response_mode=form_post                              // `form_post' or 'fragment'
&scope=openid
&resource=https%3A%2F%2Fservice.contoso.com%2F        // The identifier of the protected resource (web API) that your application needs access to
&state=12345                                          // Any value, provided by your app
&nonce=678910                                         // Any value, provided by your app

One of these parameters is "resource=".

What is the best way to add this resource parameter into the authorizationCallback method? I have tried adding it to the query without any luck, and tried going through the library code as well.

Here is my method for getAccessToken:

  public getAccessToken(req, res, next) {
    if (req.cookies.authstate !== req.query.state) {
      res.send('error: state does not match');
      return;
    }

    const checks = {
      state: req.query.state,
      response_type: 'code',
      nonce: req.cookies.authnonce
    };
    const query = {
      ...req.query,
      resource: config.azureResource        // <--- tried this
    };

    this.client.authorizationCallback(config.azureRedirectUri, query, checks)
      .then((tokenSet) => {
        req.session.authInfo = {tokenSet: tokenSet};
        next();
      })
      .catch(e => {
        console.log(e);
      });
  }

[aryascripts]

The resource needed to be in the authorizationUrl, not in the authorizationCallback. Made the issue too soon. Closing..

[panva]

Glad you figured it out.

On a sidenote, looking at your code. Are you passing state from the query to checks? You should pass one you keep track of, similar to what you do with nonce.

[aryascripts]

Glad you figured it out.

On a sidenote, looking at your code. Are you passing state from the query to checks? You should pass one you keep track of, similar to what you do with nonce.

That's a good point! I fixed that as well as storing the state/nonce in the server's session side instead of client cookies.