seanfisher / passport-microsoft Goto Github PK
View Code? Open in Web Editor NEWAn Authentication strategy for passport.js that uses the Microsoft Graph API
License: MIT License
An Authentication strategy for passport.js that uses the Microsoft Graph API
License: MIT License
Wanted to ask about some further implementation related to the Microsoft identity platform endpoint.
Currently if no authorizationURL or tokenURL is provided, it takes the default ones defined within the code.
I am not sure (couldn't find anything within their docs: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints) if any other different URL can be provided, so wouldn't it be better to take into consideration a tenant property and based on it generate these URLs?
Hi, thank you so much for this project, made my life so much easier!
I just tried to use the strategy on the example app, and when I try to request multiple scopes, the authentication throws an error. For example:
passport.use(new MicrosoftStrategy({
clientID: MICROSOFT_GRAPH_CLIENT_ID,
clientSecret: MICROSOFT_GRAPH_CLIENT_SECRET,
callbackURL: "http://localhost:3000/auth/microsoft/callback",
scope: ['user.read', 'profile']
} ...
the code above throws the following error on the authentication flow (on the MSFT login site):
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope user.read profile is not valid. openid scope is required.
I have also tried setting the scope to scope: 'user.read,profile'
but that does not work either.
And just to be clear, the app is authorised to use these API endpoints on the Azure Portal.
I am probably doing something wrong, and would appreciate any pointers :)
Thanks again for your work!
I tried the example, did run "npm install", but then I get a too new version of express, so I get an error about app.configure doesn't exist. So I changed express to 3.21.2.
Which versions of the npm packages is it known to work with?
After downgrading express I was able to start a login, but it failed with a "CompactToken parsing failed with error code: 80049217"
Hello,
Thanks for contributing this library. I am following your login example code and everything is working fine (I can get access and refresh tokens).
My question is that: How can I use the refresh token? What is the use of the refresh token? I have noticed that the access token is valid for ~30 mins. After 30 mins, I have to authenticate again in order to get the new valid access token. I would like to avoid this (repetitive login).
Can you point to me any example where you have used the refresh token or is there any approach to refresh the access token?
I am using the following configuration code:
passport.use(new MicrosoftStrategy({
clientID: MICROSOFT_GRAPH_CLIENT_ID,
clientSecret: MICROSOFT_GRAPH_CLIENT_SECRET,
callbackURL: 'http://localhost:3000/auth/microsoft/callback',
scope: ['openid','offline_access','user.read','Files.Read','Files.Read.All'],
tenant: 'xxxxxxxxxxxxxxxxx',
},
Thanking you,
Saurabh
This module depends on passport-oauth2 <1.6.1 which is affected by https://nvd.nist.gov/vuln/detail/CVE-2021-41580
If you leave out scope
when
passport.use(new MicrosoftStrategy({
clientID: ,
clientSecret: ,
callbackURL: ,
},
You will get an error from microsoft.
Need to specify scope:
passport.use(new MicrosoftStrategy({
clientID: ,
clientSecret: ,
callbackURL: ,
scope: '...'
},
AuthenticationError: Forbidden
at allFailed (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:175:21)
at attempt (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:183:28)
at strategy.fail (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:314:9)
at loaded (/workspaces/Banga-Tufas-foky/node_modules/passport-oauth2/lib/strategy.js:164:21)
at PKCESessionStore.verify (/workspaces/Banga-Tufas-foky/node_modules/passport-oauth2/lib/state/pkcesession.js:68:12)
at OAuth2Strategy.authenticate (/workspaces/Banga-Tufas-foky/node_modules/passport-oauth2/lib/strategy.js:223:26)
at attempt (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:378:16)
at authenticate (/workspaces/Banga-Tufas-foky/node_modules/passport/lib/middleware/authenticate.js:379:7)
at Layer.handle [as handle_request] (/workspaces/Banga-Tufas-foky/node_modules/express/lib/router/layer.js:95:5)
at next (/workspaces/Banga-Tufas-foky/node_modules/express/lib/router/route.js:144:13)
import {Request, Response, NextFunction} from "express";
import passport from "passport";
import { Strategy as MicrosoftStrategy } from "passport-microsoft";
import { Strategy as WindowsLiveStrategy } from "passport-windowslive";
import { Strategy as XboxStrategy } from "passport-xbox";
import { config } from "../utils/utils";
export class MicrosoftAuthManager {
private static instance: MicrosoftAuthManager;
static NO_LOGIN_REQUIRED_ACTIONS = [null, "login"];
static isAuthorized(request: Request, response: Response, next: NextFunction) {
const action = typeof request.query.action == "string" ? request.query.action.toLowerCase() : null;
if (MicrosoftAuthManager.NO_LOGIN_REQUIRED_ACTIONS.includes(action)) return next();
else if (request.isAuthenticated()) return next();
else response.redirect("/home");
}
constructor() {
passport.use(
"microsoft",
new MicrosoftStrategy({
clientID: config.microsoft.client_id,
clientSecret: config.microsoft.secret,
callbackURL: `http://localhost:${config.bind.port}/api/v1/auth/callback`,
tenant: 'common',
pkce: true, // If I don't add this, it throws an error
store: true, // also here
failureMessage: true,
_passReqToCallback: true,
},
(req, accessToken, refreshToken, profile, done) => {
console.log(req, {accessToken, ...profile}); // nothing
process.nextTick(function () {
const gamertag = profile.displayName;
const xuid = profile.id;
console.log("profile: ", profile); // nothing
return done(null, { gamertag, xuid, token: accessToken });
})
})
);/*
passport.serializeUser(function (user, done) {
console.log("user: ", user); // nothing
done(null, user);
});
passport.deserializeUser(function (obj, done) {
console.log("obj: ", obj); // nothing
done(null, obj);
});*/
}
public static get static(): MicrosoftAuthManager{
return MicrosoftAuthManager.instance;
}
}
export class AuthRouter extends BaseRouter {
protected initRoutes(): void{
setTimeout(() => console.log(this.getFullPath()), 3000)
this.router.get(
"/login",
passport.authenticate("microsoft", {scope: ["User.Read"]})
);
this.router.get(
"/callback",
(req, res, next) => {
logger.debug("Callbacked") // called
next();
},
passport.authenticate("microsoft", {
//failureRedirect: "/home",
failWithError: true,
}),
(request: Request, response: Response, next: NextFunction) => {
console.log(request.user); // nothing
// TODO: check cloud session
setTimeout(() => response.redirect("/home"), 500);
}
);
this.router.get(
"/logout",
(request: Request, response: Response, next: NextFunction) => {
request.logout();
response.redirect("/home")
}
);
}
protected initChildRoutes?(): void{
}
}
I wasted 5hrs, only to figure out how this works.. :/
I just want to retrieve the xuid and gamertag and a valid session-token..
It tells me i HAVE to usepkce
, in the example there is no pkce: true or state/store: true
I am getting while it is redirecting in azure app service after it goes to authorize endpoint and send the authorization code to redirect uri. I get the below error
https://.azurewebsites.net/auth/redirect?code=<Authorization_Code>&session_state=18b77656-7bb0-45e7-a678-5944ec526564
After i remove the session state manually and try it works fine .
Can someone help me understand why this is happening and how to correct this. (Like skip session state while sending)
Hi there,
I'm having an issue with trying to login with personal live.com accounts instead of Office 365.
The oauth process is essentially the same, and the live.com endpoints should work for both.
And it is, except for the only problem I'm having with the email, it does not appear to be populating the profile.emails
with a proper value for the email (even though the array has got one record) the value is always undefined.
The problem appears to be with the personal accounts not populating the mail
property, as expected by the strategy here:
But instead return the userPrincipalName
, see a debug session below with the _json
property.
I can obviously get it from the _json
, but I think it would make more sense to have the strategy support it?
I can do the change on a fork and PR it if you'd like?
Cheers,
P.
First of all, thank you for your work!
I have been using passport-microsoft
and it has been working great.
Although, I have some users reporting a strange problem while trying to login with their Microsoft/Azure Active Directory account.
Here is a print of the error:
Do you have an idea of what might be causing this?
passport.use(new MicrosoftStrategy({
clientID: process.env.AZURE_CLIENT,
clientSecret: process.env.AZURE_SECRET,
callbackURL: process.env.AZURE_REDIRECT,
passReqToCallback: true,
scope: ['User.Read','Calendars.ReadWrite'],
prompt: 'select_account'
},
async function(req, accessToken, refreshToken, profile, done) {
console.log(profile)
var profile = profile._json
var user = {
outlookId: profile.id,
name: profile.displayName,
email: profile.mail,
accessToken: accessToken,
refreshToken: refreshToken
};
I get an access token and all profile data, but refreshtoken is undefined.
Is there a way to force account selection in case user has multiple accounts? Currently it directly signs in with a account without asking
Hello,
We are getting the following error when trying to bundle code using webpack. We also use passport-local
and passport-google-oauth20
strategies with no issues.
We think this is due to pkginfo
trying to find a package.json
when trying to be bundled/combined with bundlers like webpack. The root cause seems to be this line of code at index.js#L10
Error: Could not find package.json up from ./node_modules/pkginfo/lib/pkginfo.js
For now we fixed the issue in webpack by loading this module externally as follows
"externals": {
"passport-microsoft": {
"commonjs": "passport-microsoft"
}
}
It would be great to resolve this issue so passport-microsoft
can be bundled.
Hi there!
It seems that the Azure API has been updated of some sort and the library stopped working since January. Login causes error: TokenError: AADSTS70012: Non-retryable error has occurred . Could you please take a peek, or point up to directions were we can find in the documentation what is wrong with this API?
Thank you so much!
I used this package to authenticate the dynamics CRM. I have used the below code
passport.use(new MicrosoftStrategy({
clientID: process.env.MICROSOFT_CLIENT_ID,
clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
callbackURL: process.env.MICROSOFT_REDIRECT_URI,
tenant: process.env.MICROSOFT_TENANT_ID,
passReqToCallback: true,
scope: ['openid,user.read,offline_access,profile,email,Contacts.Read'],
scopeSeparator: ','
},
async (req, accessToken, refreshToken, expires_in, profile, done) => {
done(null, profile)
}))
But, while using this code I faced the issue like below,
microsoft/callback?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27TestApp-App%27+asked+for+scope+%27openid%2cuser.read%2coffline_access%2cprofile%2cemail%2cContacts.Read%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+611c5ab0-4da5-4dc9-afe7-8b47d83a7f00%0d%0aCorrelation+ID%3a+4354bc5e-28e6-495e-86b0-881723d2589d%0d%0aTimestamp%3a+2023-07-06+17%3a37%3a31Z
I followed the below document to create the client and secret ID
It would be good someone help on this
Hello,
In my application, I'm using single-tenant AAD account where if I try to login with the other domain it's not redirecting to failureRedirect instead it's sitting on the Microsoft page itself and showing the error as shown below.Can anyone please help me on this issue?
User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'xxxxxxx' and cannot access the application '{id}'(Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Previously I have been using passport-azure-oauth2. I am now using this module, but I cannot get the appRoles.
This is my code:
module.exports = function (
accessToken,
refreshToken,
params,
profile,
done
)
new MicrosoftStrategy( { clientID: config.azureApp.clientID, clientSecret: config.azureApp.clientSecret, callbackURL: config.azureApp.callbackUri, // resource: config.azureApp.resource, tenant: config.azureApp.tenant, scope: ['user.read'] }, (accessToken, refreshToken, params, profile, done) => adfsStrategy( accessToken, refreshToken, params, profile, done ) )
` passport.serializeUser((profile, done) => {
done(null, profile)
})
passport.deserializeUser((profile, done) => {
done(null, profile)
})`
I want to retrieve the appRoles I have defined in the enterprise application section...
What am i missing?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.