CODEWITHSUNDEEP
angularazureazure-ad-msalpassport-azure-ad
the programmer
the programmer

Reputation: 43

Grant access to a specific group in Azure AD for an application is not working

I'm trying to create an Angular website and I'm using MSAL for authentication and passport-azure-ad in nodejs. While registering the Angular app in Azure AD, I have created a group containing 1 user only and I added this group to the registered Angular application to grant access to this group, only but everyone in same tenant can login and access even protected routes.

Here is my nodejs code so I think this code is enough to validate the token sent from Angular:

// authRouter.js
var express = require('express');
var router = express.Router();

var tokenValidationCache = new Map();
const azureConfig=require('../azure.conf.json')
const passport = require('passport');
const BearerStrategy = require('passport-azure-ad').BearerStrategy;

var languageController = require('../controllers/qnalanguage.controller');

const options = {

    identityMetadata: `https://${azureConfig.metadata.authority}/${azureConfig.credentials.tenantID}/${azureConfig.metadata.version}/${azureConfig.metadata.discovery}`,
    issuer: null,
    validateIssuer: azureConfig.settings.validateIssuer,
    clientID: azureConfig.credentials.clientID,
    audience: azureConfig.credentials.audience,
    passReqToCallback: azureConfig.settings.passReqToCallback,
    loggingLevel: azureConfig.settings.loggingLevel,
    scope: azureConfig.resource.scope,
    loggingNoPII: false,
    clockSkew: 300
};

const bearerStrategy = new BearerStrategy(options, (token, done) => {
    const roles = token.roles || [];
    const user = {};
    return done(null, user, token);
});

passport.use(bearerStrategy);
router.use(passport.initialize());
router.use(passport.authenticate('oauth-bearer', { session: false }), (req, res, next) => {
    res.locals.authInfo = req.authInfo;
    return next();
});
router.get('/source', languageController.getQnAHtml);
router.post('/knowledgebase', languageController.chatbotqaAdd);
router.delete('/knowledgebase/:id', languageController.chatbotqaDelete);
router.post('/knowledgebase/deploy', languageController.chatbotqaUpdateSource);
router.post('/init', languageController.initMongoDbQNA);
router.put('/knowledgebase',languageController.chatbotqaUpdate)
router.get('/knowledgebase', languageController.getQNA);
router.get('/protected',(req, res) => {
    res.send({'res':'Hello! This resource is protected.'})
}
)
module.exports = router;

And here is my function that fetching the posts from my nodejs server

fetchPosts() {
    let headers= new HttpHeaders()
    headers=headers.set('authorization','')
    this.http.get(`${this.baseurl}/api/v1/auth/knowledgebase`)
    .subscribe((posts:any)=>{console.log(posts)
    this.posts=posts})
}

export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {

  const protectedResourceMap = new Map<string, Array<string>>();

  protectedResourceMap.set('https://graph.microsoft.com/v1.0/me',

 [...environment.apiConfig.scopes]);

  protectedResourceMap.set('http://www.localhost:8000/*',[...environment.apiConfig.scopes])


  return {
    interactionType: InteractionType.Redirect,
    protectedResourceMap
  };
}

here is my node config.json


    {
    "credentials": {
      "tenantID": "tenantid",
      "clientID": "client id",
      "audience": "api://audience"
    },
    "resource": {
      "scope": ["general"]
    },
    "metadata": {
      "authority": "sts.windows.net",
      "discovery": ".well-known/openid-configuration",
      "version": "v2.0"
    },
    "settings": {
      "validateIssuer": false,
      "passReqToCallback": false,
      "loggingLevel": "info"
    }
  }

here is my group that i assigned to angular app

What I want to do is to restrict the access to my app to that group only. I already followed this tutorial but it didn't work for me.

https://fluentjs.medium.com/angular-spa-and-node-js-api-with-azure-ad-for-authentication-in-2021-b2974666c2eb

Upvotes: 0

Views: 300

Answers (1)

Rukmini
Rukmini

Reputation: 15519

Note that: To Grant access to a specific group in Azure AD for an application, you need to enable Assignment required option in Enterprise application and add group in the Users and groups tab.

Go to Enterprise application -> Properties -> Assignment required -> YES

enter image description here

Now add the group in the Users and groups tab:

enter image description here

Now only the users in the group will be able to access the application.

Upvotes: 2

Related Questions