how to correctly validate issuer in nodejs using passport-azure-ad?

Question

in my nodejs api im trying to validate azure token i get it from angular app using MSAL library ,when i set validateIssuer to true i get this error "authentication failed due to: jwt issuer is invalid" , and in my application i get unauthorized , but i get authorized when i set validateIssuer to false. here is my nodejs configuration and code

// authRouter.js
var express = require('express');
var router = express.Router();

var tokenValidationCache = new Map();
const azureConfig=require('../azure.conf.json')
const passport = require('passport');
const BearerStrategy = require('passport-azure-ad').BearerStrategy;



var languageController = require('../controllers/qnalanguage.controller');


const options = {

    identityMetadata: `https://${azureConfig.metadata.authority}/${azureConfig.credentials.tenantID}/${azureConfig.metadata.version}/${azureConfig.metadata.discovery}`,
    issuer: null,
    validateIssuer: azureConfig.settings.validateIssuer,
    clientID: azureConfig.credentials.clientID,
    audience: azureConfig.credentials.audience,
    passReqToCallback: azureConfig.settings.passReqToCallback,
    loggingLevel: azureConfig.settings.loggingLevel,
    scope: azureConfig.resource.scope,
    loggingNoPII: false,
    clockSkew: 300
};

const bearerStrategy = new BearerStrategy(options, (token, done) => {
    const roles = token.roles || [];
    const user = {};
    return done(null, user, token);
});

passport.use(bearerStrategy);
router.use(passport.initialize());
router.use(passport.authenticate('oauth-bearer', { session: false }), (req, res, next) => {
    res.locals.authInfo = req.authInfo;
    return next();
});
router.get('/source', languageController.getQnAHtml);
router.post('/knowledgebase', languageController.chatbotqaAdd);
router.delete('/knowledgebase/:id', languageController.chatbotqaDelete);
router.post('/knowledgebase/deploy', languageController.chatbotqaUpdateSource);
router.post('/init', languageController.initMongoDbQNA);
router.put('/knowledgebase',languageController.chatbotqaUpdate)
router.get('/knowledgebase', languageController.getQNA);
router.get('/protected',(req, res) => {
    res.send({'res':'Hello! This resource is protected.'})
}
)
module.exports = router;

and here is my configuration

{
    "credentials": {
      "tenantID": "tenant id",
      "clientID": "nodejs registered app client id",
      "audience": "api://nodejs cliendid"
    },
    "resource": {
      "scope": ["general"]
    },
    "metadata": {
      "authority": "sts.windows.net",
      "discovery": ".well-known/openid-configuration",
      "version": "v2.0"
    },
    "settings": {
      "validateIssuer": true,
      "passReqToCallback": false,
      "loggingLevel": "info"
    }
  }

Answer 1

the property is called accessTokenAcceptedVersion in the AAD Graph Manifest but this section is deprecated, and its equivalent property in the new Microsoft Graph App Manifest is requestedAccessTokenVersion

Answer 2

the problem was in azure app registration in web client app in manifest "accessTokenAcceptedVersion" was set to null so i did set it to "accessTokenAcceptedVersion" :2 and to be sure i did the same for api app registration and then in my api i edited audience in azure.conf.json and i did set it to be the same as the client if of the API client id and i changed metadata too

  "metadata": {
    "authority": "login.microsoftonline.com",
    "discovery": ".well-known/openid-configuration",
    "version": "v2.0"
  }

and i had issuer set to null in my router so i did set it to

issuer: `https://${azureConfig.metadata.authority}/${azureConfig.credentials.tenantID}/${azureConfig.metadata.version}`,

and now im able to authorize to my api routes