passport-azure-ad: which strategy to use

Question

We have front end developed in AngularJS and backend APIs in NodeJs. We are using Azure AD for authentication. Frontend Angular is using adal-angular javascript library for azure authentication. So when user comes to web site, he gets redirected to https://login.microsoftonline.com and upon successful authentication he gets redirected back to our web site. So far so good.
I have to protect backend api’s using passport-azure-ad library. Only the frontend is calling these APIs. There are two strategies available using this library
1> OAuth2Bearer strategy
2> OIDCStrategy for Open ID Connect

I was under impression Azure AD by default uses OpenID Connect for authentication. So I was planning to use OIDCStrategy to protect Node web api as discussed here
However in fiddler I see the following request client (i.e angular frontend) is making when it invokes web API

GET http://localhost:4030/api/getemployees HTTP/1.1  
Host: localhost:4030  
Connection: keep-alive  
Accept: application/json, text/plain, */*  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36  
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi………………………  
Referer: http://localhost:4030/  
Accept-Encoding: gzip, deflate, sdch  
Accept-Language: en-US,en;q=0.8  

Note Authorization tag starts with “Bearer“ so I am assuming client is sending Bearer token to the server.

Q
1>which strategy I should be using here?
2>when should we use one over the other?

Answer 1

I maintain passport-azure-ad. The difference here is between "authorization" and "authentication".

OAuth2 is used for authorization (do I have access to this?).

OpenID Connect is used for authentication (this is who I am).

When you are connecting to web APIs, the user most likely already has an identity (they've been through authentication) and now you just want to ensure that the user has access to the APIs (authorization). OAuth2 is used to protect resources and consumes tokens from an IdP to ensure tokens are valid and that the user has access to that resource. Bearer is just the type of token that we (and the industry) use for OAuth2. If someone comes to you without a token at all, you reject them and then it's up to the client that called you to know where to take them to get the right token you need.

OpenID Connect is built on top of OAuth2 and is purely for logging people in and getting the tokens that you will then eventually send to a Web API (which would in turn use OAuth2 with Bearer token). So OpenID Connect is used for authentication.

In your scenario you are using Angular which is doing the OpenID Connect authentication for you, so your Web APIs should be using The Bearer strategy.

I have written a sample that walks you through all of this here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapi-nodejs/ that uses the MEAN stack, and which uses an iOS sample application I wrote as a front end. Playing with both of these, it's easy to see how one acts as the authentication piece (iOS app) and the other sits there and protects the API acting as the authorization piece (the node.js app)

Code for node.js app: https://github.com/Azure-Samples/active-directory-node-webapi

Code for iOS app: https://github.com/Azure-Samples/active-directory-ios

Deeper dive in to these topics is here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/

Let me know if you have any other questions!