oAuth 2.0 access token validation node.js

Question

I have a backend API written in node.js express framework. I need to implement oAuth 2.0 (client_credentials grant type) with it. I came to know that the front-end(who is the caller of the API) is requesting the https://login.microsoftonline.com/IDENTIFIER_STRING/oauth2/token with client_id and client_secret and getting the access token in response. After that the FE will send the request to my API with Authorization header with that access token. Now my question is how can I validate that access token and grant the access to the requester? Do I have to validate it offline as a JWT with the help of some public key and some node.js library ? Or do I have to do it online via sending the access token to some endpoint of the oAuth provider similar to the token endpoint?

Answer 1

As the token consumer, validation is done offline, unless otherwise specified by the issuer.

You should use a JWT library, don't roll your own validation logic, it is not trivial to implement correctly.

Use MSAL for Azure ADv2 applications -
https://github.com/AzureAD/microsoft-authentication-library-for-js https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/MSAL-basics

For v1, use the older ADAL -
https://github.com/AzureAD/azure-activedirectory-library-for-js

v1 vs v2 endpoint -
https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison

Azure AD is OAuth 2.0 and Open ID Connect compliant. That really means you should be able to validate the JWT with 3rd party libraries as well.