Wanted to ask about some further implementation related to the Microsoft identity platform endpoint.

Currently if no authorizationURL or tokenURL is provided, it takes the default ones defined within the code.

I am not sure (couldn't find anything within their docs: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints) if any other different URL can be provided, so wouldn't it be better to take into consideration a tenant property and based on it generate these URLs?

Hi, thank you so much for this project, made my life so much easier!

I just tried to use the strategy on the example app, and when I try to request multiple scopes, the authentication throws an error. For example:

passport.use(new MicrosoftStrategy({
  clientID: MICROSOFT_GRAPH_CLIENT_ID,
  clientSecret: MICROSOFT_GRAPH_CLIENT_SECRET,
  callbackURL: "http://localhost:3000/auth/microsoft/callback",
  scope: ['user.read', 'profile']
} ...

the code above throws the following error on the authentication flow (on the MSFT login site):

AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope user.read profile is not valid. openid scope is required.

I have also tried setting the scope to scope: 'user.read,profile' but that does not work either.

And just to be clear, the app is authorised to use these API endpoints on the Azure Portal.

I am probably doing something wrong, and would appreciate any pointers :)

Thanks again for your work!

I tried the example, did run "npm install", but then I get a too new version of express, so I get an error about app.configure doesn't exist. So I changed express to 3.21.2.
Which versions of the npm packages is it known to work with?
After downgrading express I was able to start a login, but it failed with a "CompactToken parsing failed with error code: 80049217"

Hello,

Thanks for contributing this library. I am following your login example code and everything is working fine (I can get access and refresh tokens).

My question is that: How can I use the refresh token? What is the use of the refresh token? I have noticed that the access token is valid for ~30 mins. After 30 mins, I have to authenticate again in order to get the new valid access token. I would like to avoid this (repetitive login).

Can you point to me any example where you have used the refresh token or is there any approach to refresh the access token?

I am using the following configuration code:

passport.use(new MicrosoftStrategy({
  clientID: MICROSOFT_GRAPH_CLIENT_ID,
  clientSecret: MICROSOFT_GRAPH_CLIENT_SECRET,
  callbackURL: 'http://localhost:3000/auth/microsoft/callback',
  scope: ['openid','offline_access','user.read','Files.Read','Files.Read.All'],
  tenant: 'xxxxxxxxxxxxxxxxx',
},

Thanking you,
Saurabh

This module depends on passport-oauth2 <1.6.1 which is affected by https://nvd.nist.gov/vuln/detail/CVE-2021-41580

If you leave out scope when

passport.use(new MicrosoftStrategy({
        clientID: ,
        clientSecret: ,
        callbackURL: ,
    },

You will get an error from microsoft.

Need to specify scope:

passport.use(new MicrosoftStrategy({
        clientID: ,
        clientSecret: ,
        callbackURL: ,
        scope: '...'
    },

Error

AuthenticationError: Forbidden
    at allFailed (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:175:21)
    at attempt (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:183:28)
    at strategy.fail (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:314:9)
    at loaded (/workspaces/Banga-Tufas-foky/node_modules/passport-oauth2/lib/strategy.js:164:21)
    at PKCESessionStore.verify (/workspaces/Banga-Tufas-foky/node_modules/passport-oauth2/lib/state/pkcesession.js:68:12)
    at OAuth2Strategy.authenticate (/workspaces/Banga-Tufas-foky/node_modules/passport-oauth2/lib/strategy.js:223:26)
    at attempt (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:378:16)
    at authenticate (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:379:7)
    at Layer.handle [as handle_request] (/workspaces/Banga-Tufas-foky/node_modules/express/lib/router/layer.js:95:5)
    at next (/workspaces/Banga-Tufas-foky/node_modules/express/lib/router/route.js:144:13)

Code

import {Request, Response, NextFunction} from "express";
import passport from "passport";
import { Strategy as MicrosoftStrategy } from "passport-microsoft";
import { Strategy as WindowsLiveStrategy } from "passport-windowslive";
import { Strategy as XboxStrategy } from "passport-xbox";
import { config } from "../utils/utils";

export class MicrosoftAuthManager {
	private static instance: MicrosoftAuthManager;

	static NO_LOGIN_REQUIRED_ACTIONS = [null, "login"];

	static isAuthorized(request: Request, response: Response, next: NextFunction) {
		const action = typeof request.query.action == "string" ? request.query.action.toLowerCase() : null;
		if (MicrosoftAuthManager.NO_LOGIN_REQUIRED_ACTIONS.includes(action)) return next();
		else if (request.isAuthenticated()) return next();
		else response.redirect("/home");
	}
    constructor() {
		passport.use(
			"microsoft",
			new MicrosoftStrategy({
				clientID: config.microsoft.client_id,
				clientSecret: config.microsoft.secret,
				callbackURL: `http://localhost:${config.bind.port}/api/v1/auth/callback`,
				tenant: 'common',
				pkce: true, // If I don't add this, it throws an error
				store: true, // also here
				failureMessage: true,
				_passReqToCallback: true,
			},
			(req, accessToken, refreshToken, profile, done) => {
				console.log(req, {accessToken, ...profile}); // nothing
				
				process.nextTick(function () {
					const gamertag = profile.displayName;
					const xuid = profile.id;
					console.log("profile: ", profile); // nothing
					return done(null, { gamertag, xuid, token: accessToken });
				})
			})
		);/*
		passport.serializeUser(function (user, done) {
			console.log("user: ", user); // nothing
			done(null, user);
		});
		passport.deserializeUser(function (obj, done) {
			console.log("obj: ", obj); // nothing
			done(null, obj);
		});*/
    }

	public static get static(): MicrosoftAuthManager{
		return MicrosoftAuthManager.instance;
	}
}

export class AuthRouter extends BaseRouter {
    protected initRoutes(): void{
        setTimeout(() => console.log(this.getFullPath()), 3000)
        this.router.get(
            "/login",
            passport.authenticate("microsoft", {scope: ["User.Read"]})
        );
        this.router.get(
            "/callback",
            (req, res, next) => {
                logger.debug("Callbacked") // called
                next();
            },
            passport.authenticate("microsoft", {
                //failureRedirect: "/home",
                failWithError: true,
            }),
            (request: Request, response: Response, next: NextFunction) => {
                console.log(request.user); // nothing
                
                // TODO: check cloud session
                setTimeout(() => response.redirect("/home"), 500);        
            }
        );
        this.router.get(
            "/logout",
            (request: Request, response: Response, next: NextFunction) => {
                request.logout();
                response.redirect("/home")
            }
        );
    }
    protected initChildRoutes?(): void{
    }
}

I wasted 5hrs, only to figure out how this works.. :/
I just want to retrieve the xuid and gamertag and a valid session-token..
It tells me i HAVE to use pkce, in the example there is no pkce: true or state/store: true

I am getting while it is redirecting in azure app service after it goes to authorize endpoint and send the authorization code to redirect uri. I get the below error

https://.azurewebsites.net/auth/redirect?code=<Authorization_Code>&session_state=18b77656-7bb0-45e7-a678-5944ec526564

After i remove the session state manually and try it works fine .

Can someone help me understand why this is happening and how to correct this. (Like skip session state while sending)

Hi there,

I'm having an issue with trying to login with personal live.com accounts instead of Office 365.

The oauth process is essentially the same, and the live.com endpoints should work for both.

And it is, except for the only problem I'm having with the email, it does not appear to be populating the profile.emails with a proper value for the email (even though the array has got one record) the value is always undefined.

The problem appears to be with the personal accounts not populating the mail property, as expected by the strategy here:

But instead return the userPrincipalName, see a debug session below with the _json property.

I can obviously get it from the _json, but I think it would make more sense to have the strategy support it?

I can do the change on a fork and PR it if you'd like?

Cheers,
P.

First of all, thank you for your work!

I have been using passport-microsoft and it has been working great.

Although, I have some users reporting a strange problem while trying to login with their Microsoft/Azure Active Directory account.

Here is a print of the error:

Do you have an idea of what might be causing this?

passport.use(new MicrosoftStrategy({
clientID: process.env.AZURE_CLIENT,
clientSecret: process.env.AZURE_SECRET,
callbackURL: process.env.AZURE_REDIRECT,
passReqToCallback: true,
scope: ['User.Read','Calendars.ReadWrite'],
prompt: 'select_account'
},
async function(req, accessToken, refreshToken, profile, done) {
console.log(profile)
var profile = profile._json

var user = {
  outlookId: profile.id,
  name: profile.displayName,
  email: profile.mail,
  accessToken:  accessToken,
  refreshToken: refreshToken

};

I get an access token and all profile data, but refreshtoken is undefined.

Is there a way to force account selection in case user has multiple accounts? Currently it directly signs in with a account without asking

Hello,

We are getting the following error when trying to bundle code using webpack. We also use passport-local and passport-google-oauth20 strategies with no issues.

We think this is due to pkginfo trying to find a package.json when trying to be bundled/combined with bundlers like webpack. The root cause seems to be this line of code at index.js#L10

Error: Could not find package.json up from ./node_modules/pkginfo/lib/pkginfo.js

For now we fixed the issue in webpack by loading this module externally as follows

"externals": {
        "passport-microsoft": {
                 "commonjs": "passport-microsoft"
        }
}

It would be great to resolve this issue so passport-microsoft can be bundled.

Hi there!

It seems that the Azure API has been updated of some sort and the library stopped working since January. Login causes error: TokenError: AADSTS70012: Non-retryable error has occurred . Could you please take a peek, or point up to directions were we can find in the documentation what is wrong with this API?

Thank you so much!

I used this package to authenticate the dynamics CRM. I have used the below code

passport.use(new MicrosoftStrategy({
  clientID: process.env.MICROSOFT_CLIENT_ID,
  clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
  callbackURL: process.env.MICROSOFT_REDIRECT_URI,
  tenant: process.env.MICROSOFT_TENANT_ID,
  passReqToCallback: true,
  scope: ['openid,user.read,offline_access,profile,email,Contacts.Read'],
  scopeSeparator: ','
},
async (req, accessToken, refreshToken, expires_in, profile, done) => {
   done(null, profile)
}))

But, while using this code I faced the issue like below,

microsoft/callback?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27TestApp-App%27+asked+for+scope+%27openid%2cuser.read%2coffline_access%2cprofile%2cemail%2cContacts.Read%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+611c5ab0-4da5-4dc9-afe7-8b47d83a7f00%0d%0aCorrelation+ID%3a+4354bc5e-28e6-495e-86b0-881723d2589d%0d%0aTimestamp%3a+2023-07-06+17%3a37%3a31Z

I followed the below document to create the client and secret ID

https://learn.microsoft.com/en-us/power-apps/developer/data-platform/walkthrough-register-app-azure-active-directory

It would be good someone help on this

Hello,

In my application, I'm using single-tenant AAD account where if I try to login with the other domain it's not redirecting to failureRedirect instead it's sitting on the Microsoft page itself and showing the error as shown below.Can anyone please help me on this issue?

User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'xxxxxxx' and cannot access the application '{id}'(Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Previously I have been using passport-azure-oauth2. I am now using this module, but I cannot get the appRoles.

This is my code:

module.exports = function (
  accessToken,
  refreshToken,
  params,
  profile,
  done
)

new MicrosoftStrategy( { clientID: config.azureApp.clientID, clientSecret: config.azureApp.clientSecret, callbackURL: config.azureApp.callbackUri, // resource: config.azureApp.resource, tenant: config.azureApp.tenant, scope: ['user.read'] }, (accessToken, refreshToken, params, profile, done) => adfsStrategy( accessToken, refreshToken, params, profile, done ) )

`  passport.serializeUser((profile, done) => {
    done(null, profile)
  })

  passport.deserializeUser((profile, done) => {
    done(null, profile)
  })`

I want to retrieve the appRoles I have defined in the enterprise application section...

What am i missing?