How to authorize Node.js API with Azure AD?

Question

We have application that is written using MEAN stack. Right now application is using home grown authentication. We are trying to replace it with Azure AD authentication.

There is nice article here that shows how to configure Angular for Azure Authentication using ADAL.JS library. This will protect client side resources. In the example the server side APIs are written using .Net Web API and OWIN is used to protect Web API. So OWIN is responsible for validating Bearer token send from the client.

With MEAN stack the server side API are written in Node.js, so how do we protect Node.js API if we switch to Azure AD? Is there any Node module available from Microsoft? Any Example will greatly appriciated.

Answer 1

I have recently implemented one with my react application with nodejs backend and with passport-azure-ad

You can refer to my post here for both authorization and authentication https://stackoverflow.com/a/58761942/8238968

You can find the key values for BearerStrategyOptions at https://github.com/AzureADQuickStarts/AppModelv2-WebAPI-nodejs/blob/master/node-server/config.js

Also, FYI I used the following common endpoint https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration for identityMetadata

const BearerStrategyOptions = {
  identityMetadata,
  clientID,
  validateIssuer,
  issuer,
  passReqToCallback,
  allowMultiAudiencesInToken,
  audience
};

For Authorization:

passport.use(
    new BearerStrategy(BearerStrategyOptions, function(token, done) {
      console.log("verifying the user");
      console.log(token, "was the token retreived");
      findByOid(token.oid, function(err, user) {
        if (err) {
          return done(err);
        }
        if (!user) {
          // "Auto-registration"
          console.log(
            "User was added automatically as they were new. Their oid is: ",
            token.oid
          );
          users.push(token);
          owner = token.oid;
          return done(null, token);
        }
        owner = token.oid;
        return done(null, user, token);
      });
    })
  );

And to authorize the routes use the following code in your api

 passport.authenticate('oauth-bearer', {session: false})

Done! Hope this helps :)

Answer 2

Microsoft provides a passport plugin, passport-azure-ad.

passport-azure-ad is a collection of Passport Strategies to help you integrate with Azure Active Directory. It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization. These providers let you integrate your Node app with Microsoft Azure AD so you can use its many features, including web single sign-on (WebSSO), Endpoint Protection with OAuth, and JWT token issuance and validation.