Im trying to integrate msal.js library(https://github.com/AzureAD/microsoft-authentication-library-for-js) with passport-azure-ad (https://github.com/AzureAD/passport-azure-ad) Bearer Strategy.
My configurations are as follows: Msal.js
{
authority: 'https://login.microsoftonline.com/<tennant>',
clientID: '<clientId>',
graphScopes: ['user.read', 'Group.Read.All'],
};
passport-azure-ad
const config = {
identityMetadata: 'https://login.microsoftonline.com/<tennant>/v2.0/.well-known/openid-configuration',
clientID: '<clientId>',
validateIssuer: false,
passReqToCallback: false,
issuer: 'https://login.microsoftonline.com/<tennant>/v2.0',
audience: '<clientId>',
allowMultiAudiencesInToken: false,
loggingLevel:'info',
loggingNoPII: false,
};
On the frontend i get through login flow and auire token using
const token = await this.userAgentApplication.acquireTokenSilent(applicationConfig.graphScopes);
Then I make request to endpoint protected by passport-azure-ad Bearer Strategy and get
authentication failed due to: In Strategy.prototype.jwtVerify: cannot verify token
I also did logging inside library and it says:
Error: invalid signature
My decoded token looks as follows:
{ header:
{ typ: 'JWT',
nonce:
'AQABAAAAAACEfexXxjamQb3OeGQ4GugvOOGFjNwsJMp-y1sPJ254AB4C4gW4sb4kOObzC5BvMpBM-89S8Ri5UvHxPIjpp9ZW408ZgJKLzb2hRWXkib2b7yAA',
alg: 'RS256',
x5t: '-sxMJMLCIDWMTPvZyJ6tx-CDxw0',
kid: '-sxMJMLCIDWMTPvZyJ6tx-CDxw0' },
payload:
{ aud: 'https://graph.microsoft.com',
iss:
'https://sts.windows.net/<tennant>/',
iat: 1551307920,
nbf: 1551307920,
exp: 1551311820,
acct: 0,
acr: '1',
aio:
'AVQAq/8KAAAANG+ugC3cVRBXWggnndtZk1eOw/7cZL5v0UopZHUGmDTborxAC+z02Y1OKRCrhT7M6YjUnziw5swFdEokTPT7GGWXIcazJpS+O/NQdQU3TqI=',
amr: [ 'pwd', 'mfa' ],
app_displayname: '<app_name>',
appid: '<app_id>',
appidacr: '0',
family_name: 'Doe',
given_name: 'John',
ipaddr: '127.0.0.1',
name: 'John, Doe',
oid: '<user_id>',
onprem_sid: 'S-1-5-21-3948687051-3486659006-1268634143-1873835',
platf: '14',
puid: '10030000AA097172',
scp: 'Group.Read.All Mail.Send openid profile User.Read email',
sub: 'Q_fJMajGxqk9S6ggyDN6IGunN_aIhsWhnvLPQIxlT5Q',
tid: '<tennant>',
unique_name: 'John Doe',
upn: '[email protected]',
uti: 'Cwf6-Fmm-EGXjPDh_iEHAA',
ver: '1.0',
xms_st: { sub: 'XTqgFukoz-mbW2mjPHiJoWqhRQZ_SKUIdHRaitfM3co' },
xms_tcdt: 1386664440 },
signature:
'pg6MiFrvJ3oimdCrnWKsf_DEth7RULJpmMH0P3Z-DtK4CO2865TxrnCaGwnkpXrcgokxDgmk3d5cOi-Y5tAlxx87Yd_KcBITq_M3lQM8aUeXPire4bqYG8OKgkvpHRVgYumaMgaHlm1w7FZjSq4lnGn919VVucqe4rkyxvQlyxWLxG4lfUC2RD5ighhg0GeEwQkkl2Y5YManCn96b-8vTkXHE__VxHJXwBJpesDK2KtzCmuEcM8yg4zyvxuY_GDs2lGWdza-ELSMTXxce3RfzUaLAnNt3dMYkN-2wmROB5TuRMafY7D8FCEd-RmtxC1_-ASE-AEwafA9JxLl4j0Ikw' }
I tried to integrate with adal.js(https://github.com/AzureAD/azure-activedirectory-library-for-js) and succeded, but I can't use token it gives me to call graph api on behalf of user(https://learn.microsoft.com/en-us/graph/auth-v2-user).
I also tried to use client id token which I get from localStorage
const idToken = localStorage.getItem(Constants.idTokenKey);
It works for a while, but this idToken isn't refresed when I call getTokenSilent, so it stops working after some time.
I'm preety much confused what should I do now so any help would be greatly appreciated!
I had similar issue too and I got it working.
In my case, I'm using web(msal) and android(ionic - msadal), both, to generate token and get it verified using node(passport). The major issue is, passport expects v2 access token while you get v1 using your msal/msadal.
You can make it rectified by passing:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
in authority uri (msal/msadal) and identityMetadata (passport)
and, setting:
"accessTokenAcceptedVersion": 2
, instead of null,
in azure portal > app registrations > your app > manifest.
Did anyone fix this in the end?
I had exactly the same error. For me it was a config issue, specifically at the client MSAL end and scopes. I was trying to communicate with a custom WebAPI and I was passing the wrong scopes. This solved my issue:
'Invalid Signature' error for Access Token (azure active directory / msal js)
Hopefully this helps someone.
Thanks
By default a newly created Azure AD application registration contains API permissions for the Microsoft Graph API in the form of the User.Read permission type. If you have no intention of calling Microsoft's Graph API, this permission needs to be removed otherwise the issued access token will be a v1.0 token rather than a v2.0 token which passport-azure-ad expects.
You will also need to follow the steps as outlined above by Gaurav Gupta https://stackoverflow.com/a/60967402/6772215
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With