Reputation: 41
ADAL node js username password authentication
I am using the adal node js library 1.22, and trying to authenticate a user with username and password. I am getting a "unable to get local issuer certificate" error. The user is federated and the error happens on realm discovery.
var context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithUsernamePassword(resource, sampleParameters.username, sampleParameters.password, sampleParameters.clientId, function(err, tokenResponse) {
if (err) {
console.log('well that didn\'t work: ' + err.stack);
} else {
console.log(tokenResponse);
}
});
The error stack:
Stack:
Error: unable to get local issuer certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38)
{ Error: unable to get local issuer certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' }
Wed, 14 Jun 2017 08:44:17 GMT:079c7b70-6ae1-461c-b433-cc3fe0c22783 - TokenRequest: VERBOSE: getTokenFunc returned with err
well that didn't work: Error: unable to get local issuer certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38)
Can you please advise on what certificate i am missing and where to find it.
EDIT
after digging through the code i found that commenting out the global agent.ca part of the code resolved this issue and the library was able to perform a few steps after that, but it had a problem returning the token response from ADFS.
The log:
Wed, 14 Jun 2017 10:39:39 GMT:425e3117-a495-4f8e-8a12-e7e64dd0e37b - OAuth2Client: INFO: Get TokenServer returned this correlationId: 425e3117-a495-4f8e-8a12-e7e64dd0e37b
Wed, 14 Jun 2017 10:39:39 GMT:425e3117-a495-4f8e-8a12-e7e64dd0e37b - OAuth2Client: ERROR: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\r\nTrace ID: aadf1560-18ec-46f9-83b6-5932c2131200\r\nCorrelation ID: 425e3117-a495-4f8e-8a12-e7e64dd0e37b\r\nTimestamp: 2017-06-14 10:39:41Z","error_codes":[70002],"timestamp":"2017-06-14 10:39:41Z","trace_id":"aadf1560-18ec-46f9-83b6-5932c2131200","correlation_id":"425e3117-a495-4f8e-8a12-e7e64dd0e37b"}
Is there any configuration that i forgot,
if (!parametersFile) {
sampleParameters = {
tenant : 'tenant.onmicrosoft.com',
authorityHostUrl : 'https://login.microsoftonline.com',
clientId : 'aa461028-1fgf-46e5-ab9b-5adca324febc',
username : '[email protected]',
password : 'lamepassword'
};
}
var authorityUrl = sampleParameters.authorityHostUrl + '/' + sampleParameters.tenant;
var resource = '00000002-0000-0000-c000-000000000000';
Upvotes: 3
Views: 1811
Answers (1)
Reputation: 10662
The resource owner flow is strongly discouraged, and in some cases like federated users or users that require MFA, will just not work. This flow is the one in which your application handles the user's username and password directly and sends those in the request to the identity provider. This approach won't work if there are any extra interactions required as part of authentication such as requiring a second factor or dealing with federation. For these reasons and simple security principles (removing the need for the application to deal with the username and password) it's better to avoid this flow.
Since you are dealing with federated users, the resource owner won't work for you leaving you with the two preferred alternatives:
- Use the authorization code flow if you want to authenticate as a user
- Use the client credentials flow if you want to authenticate as an application.
See the "Web Application to Web API" scenario in the "Azure AD Authentication Scenarios" documentation for more information about choosing between these two options.
Upvotes: 2
Related Questions
- promisify the acquireTokenWithClientCredentials function from adal-node
- How to verify a access token using adal-node authentication context?
- How to use azure AD authentication from node.js server side non interactively
- How login into AAD with ADAL and MFA
- Simple ADAL.js sample - Userlogin required
- how to authenticate with azure ad accounts to react.js app with nodejs api?
- Authenticate on Azure AD with username and password in a Node.js web app
- How to authenticate on Azure Active Directory via LDAP using node?
- Authentication for Azure Active Directory using adal for node.js application
- ADAL.NET: Using it to authenticate using javascript