passport-azure-ad veriy msal.js token with Bearer Strategy

Question

Im trying to integrate msal.js library(https://github.com/AzureAD/microsoft-authentication-library-for-js) with passport-azure-ad (https://github.com/AzureAD/passport-azure-ad) Bearer Strategy.

My configurations are as follows: Msal.js

{
    authority: 'https://login.microsoftonline.com/<tennant>',
    clientID: '<clientId>',
    graphScopes: ['user.read', 'Group.Read.All'],
};

passport-azure-ad

const config = {
    identityMetadata: 'https://login.microsoftonline.com/<tennant>/v2.0/.well-known/openid-configuration',

    clientID: '<clientId>',

    validateIssuer: false,

    passReqToCallback: false,

    issuer: 'https://login.microsoftonline.com/<tennant>/v2.0',

    audience: '<clientId>',

    allowMultiAudiencesInToken: false,

    loggingLevel:'info',
    loggingNoPII: false,
};

On the frontend i get through login flow and auire token using

const token = await this.userAgentApplication.acquireTokenSilent(applicationConfig.graphScopes);

Then I make request to endpoint protected by passport-azure-ad Bearer Strategy and get

authentication failed due to: In Strategy.prototype.jwtVerify: cannot verify token

I also did logging inside library and it says:

Error: invalid signature

My decoded token looks as follows:

{ header:
   { typ: 'JWT',
     nonce:
      'AQABAAAAAACEfexXxjamQb3OeGQ4GugvOOGFjNwsJMp-y1sPJ254AB4C4gW4sb4kOObzC5BvMpBM-89S8Ri5UvHxPIjpp9ZW408ZgJKLzb2hRWXkib2b7yAA',
     alg: 'RS256',
     x5t: '-sxMJMLCIDWMTPvZyJ6tx-CDxw0',
     kid: '-sxMJMLCIDWMTPvZyJ6tx-CDxw0' },
  payload:
   { aud: 'https://graph.microsoft.com',
     iss:
      'https://sts.windows.net/<tennant>/',
     iat: 1551307920,
     nbf: 1551307920,
     exp: 1551311820,
     acct: 0,
     acr: '1',
     aio:
      'AVQAq/8KAAAANG+ugC3cVRBXWggnndtZk1eOw/7cZL5v0UopZHUGmDTborxAC+z02Y1OKRCrhT7M6YjUnziw5swFdEokTPT7GGWXIcazJpS+O/NQdQU3TqI=',
     amr: [ 'pwd', 'mfa' ],
     app_displayname: '<app_name>',
     appid: '<app_id>',
     appidacr: '0',
     family_name: 'Doe',
     given_name: 'John',
     ipaddr: '127.0.0.1',
     name: 'John, Doe',
     oid: '<user_id>',
     onprem_sid: 'S-1-5-21-3948687051-3486659006-1268634143-1873835',
     platf: '14',
     puid: '10030000AA097172',
     scp: 'Group.Read.All Mail.Send openid profile User.Read email',
     sub: 'Q_fJMajGxqk9S6ggyDN6IGunN_aIhsWhnvLPQIxlT5Q',
     tid: '<tennant>',
     unique_name: 'John Doe',
     upn: 'john.doe@mail.com',
     uti: 'Cwf6-Fmm-EGXjPDh_iEHAA',
     ver: '1.0',
     xms_st: { sub: 'XTqgFukoz-mbW2mjPHiJoWqhRQZ_SKUIdHRaitfM3co' },
     xms_tcdt: 1386664440 },
  signature:
   'pg6MiFrvJ3oimdCrnWKsf_DEth7RULJpmMH0P3Z-DtK4CO2865TxrnCaGwnkpXrcgokxDgmk3d5cOi-Y5tAlxx87Yd_KcBITq_M3lQM8aUeXPire4bqYG8OKgkvpHRVgYumaMgaHlm1w7FZjSq4lnGn919VVucqe4rkyxvQlyxWLxG4lfUC2RD5ighhg0GeEwQkkl2Y5YManCn96b-8vTkXHE__VxHJXwBJpesDK2KtzCmuEcM8yg4zyvxuY_GDs2lGWdza-ELSMTXxce3RfzUaLAnNt3dMYkN-2wmROB5TuRMafY7D8FCEd-RmtxC1_-ASE-AEwafA9JxLl4j0Ikw' }

I tried to integrate with adal.js(https://github.com/AzureAD/azure-activedirectory-library-for-js) and succeded, but I can't use token it gives me to call graph api on behalf of user(https://learn.microsoft.com/en-us/graph/auth-v2-user).

I also tried to use client id token which I get from localStorage

const idToken = localStorage.getItem(Constants.idTokenKey);

It works for a while, but this idToken isn't refresed when I call getTokenSilent, so it stops working after some time.

I'm preety much confused what should I do now so any help would be greatly appreciated!

Answer 1

By default a newly created Azure AD application registration contains API permissions for the Microsoft Graph API in the form of the User.Read permission type. If you have no intention of calling Microsoft's Graph API, this permission needs to be removed otherwise the issued access token will be a v1.0 token rather than a v2.0 token which passport-azure-ad expects.

You will also need to follow the steps as outlined above by Gaurav Gupta https://stackoverflow.com/a/60967402/6772215

Answer 2

Did anyone fix this in the end?

I had exactly the same error. For me it was a config issue, specifically at the client MSAL end and scopes. I was trying to communicate with a custom WebAPI and I was passing the wrong scopes. This solved my issue:

'Invalid Signature' error for Access Token (azure active directory / msal js)

Hopefully this helps someone.

Thanks

Answer 3

I had similar issue too and I got it working.

In my case, I'm using web(msal) and android(ionic - msadal), both, to generate token and get it verified using node(passport). The major issue is, passport expects v2 access token while you get v1 using your msal/msadal.

You can make it rectified by passing:

https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

in authority uri (msal/msadal) and identityMetadata (passport)

and, setting:

"accessTokenAcceptedVersion": 2, instead of null, in azure portal > app registrations > your app > manifest.

Answer 4

According to above code snippet, you are using issuer as v2.0

config.issuer: 'https://login.microsoftonline.com//v2.0'

But in jwt token, you are getting iss: 'https://sts.windows.net//'. Config and jwt token Issuers are not matching. So jwt token will not verify.

And also config.Audience value is clientid but in token you are getting aud: 'https://graph.microsoft.com'.

So can you change these two things issuer as https://sts.windows.net// and audience value as https://graph.microsoft.com in config and check whether you are getting response or not.