CODEWITHSUNDEEP
node.jspassport.jsadalazure-active-directory
LP13
LP13

Reputation: 34099

passport-azure-ad, does it parse & validate token?

My MEAN stack application is using Azure AD for authentication. I am using “passport-azure-ad” module for web api authentication. Based on post & reply here I understood that

If user is already authenticated by client (UI) then for every API call, client will also send token to the server. And then on the server we can use bearer strategy to “Authorize” user’s access to API.

Now in my scenario I just wanted to make sure user is authenticated, and if he is then allow him to access API.

Question
1. When server executes the method "passport.authenticate('oauth-bearer')", will passport-azure-ad automatically parse & validates the token that is received from client or do I need to any additional steps?
2. What happens when its not able to validate token or if token is bad or spoofed?

Here is my complete code
AzureAuthenticationService.js

    "use strict";
    var passport = require('passport');
    var OIDCBearerStrategy = require('passport-azure-ad').BearerStrategy;

    var options = {      
        identityMetadata: 'https://login.microsoftonline.com/tenantid/.well-known/openid-configuration',   
        validateIssuer: true, 
        passReqToCallback: false,
        loggingLevel: 'error' 
    };

    function configure(app) {    
        app.use(passport.initialize());
        app.use(passport.session());  

        passport.use(new OIDCBearerStrategy(options,
            function(token, done) {
               //is there anything else i need to do here?
               return done(null, token.unique_name, token);            
            })); 

             passport.serializeUser(function (user, done) {
                    done(null, user);
             });

            passport.deserializeUser(function (id, done) {
                done(null, id);
            });         
    }

    function authenticate(req, res, next) {
        //is there anything else i need to do here?
        passport.authenticate('oauth-bearer')(req, res, next);
    }

server.js
'UserService' below is i used to get users from the database and i want to protect that API call

        "use strict";

    var authentication = require('./AzureAuthenticationService');
    var userService = require('./UserService');

    // Initialize server
    var express = require('express');
    var app = exports.app = express();
    authentication.configure(app);

    // Set routes
    app.get('/api/users',authentication.authenticate,userService.getUsers);

Upvotes: 4

Views: 5622

Answers (1)

Brandon
Brandon

Reputation: 1315

I'm the maintainer for passport-azure-ad. To answer your question, yes it will validate the token for you. It does this using the call to the jwtVerify in the code. You can see where this starts here. It will decrypt the token using the keys that are found at the metadata endpoint which is in your configuration.

If the validation is unsuccessful you will get an error from the code as you'll see above and referenced here:

jwt.verify(token, PEMkey, options, function(err, token) {
            if (err) {
                if (err instanceof jwt.TokenExpiredError) {
                    log.warn("Access token expired");
                    done(null, false, 'The access token expired');
                } else if (err instanceof jwt.JsonWebTokenError) {
                    log.warn("An error was received validating the token", err.message);
                    done(null, false, util.format('Invalid token (%s)', err.message));
                } else {
                    done(err, false);
                }

Let me know if this helps and if so mark answered. Thanks!

Upvotes: 7

Related Questions