How to verify a access token using adal-node authentication context?

2
votes

I have created a azure web api using adal-node authentication context and a angularjs application, jwt token(access token) has been passed through the angularjs application in order to call the web API. I need to verify the user from jwt token before allowing the user to access the web API. How can I do this jwt verification using adal-node authentication context.

sample code for generating the access token

function getToken(TENANT) {
    var promise = new Promise(function (resolve, reject) {
        try {
            //const authContext = new adal.AuthenticationContext(`https://login.microsoftonline.com/${TENANT}`);
            const authContext = new adal.AuthenticationContext('https://login.microsoftonline.com/'+TENANT);
            authContext.acquireTokenWithClientCredentials(GRAPH_URL,CLIENT_ID,CLIENT_SECRET,function(err,tokenRes)
            {
                if (err)
                {
                    reject(err);
                }
                var accesstoken = tokenRes.accessToken;
                resolve(accesstoken);
            })
        }
        catch (ex) {
            reject(ex);
        };
    });
    return promise;
}
2
node.jsazureadal

2 Answers

1
votes

Actually, according to the document of adal-node:

The ADAL for node.js library makes it easy for node.js applications to authenticate to AAD in order to access AAD protected web resources. It supports 3 authentication modes shown in the quickstart code below.

So, in a word, adal-node doesn't have the functionality to verify JWT as an IDP server.

However, if you want to prevent the people to access your web api who don't have permission. You can leverage the Authentication and Authorization feature of Azure App Service in a ease. You can use AAD to secure your Web API, and all the requests against to this Web API need to set the access token from AAD in their Authorization header.

You can refer to Authentication and authorization for API Apps in Azure App Service for more info.

Meanwhile, if you consist to verify JWT yourself, you can leverage some 3rd party module, e.g. https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback

1
votes

You can verify the ADAL token using passport and passport-azure-ad in nodejs. It takes the adal token from request header and verifies it. Here is the sample code.

const express = require("express");
const passport = require("passport");
const BearerStrategy = require("passport-azure-ad").BearerStrategy;

const options = {
  identityMetadata:
    "https://login.microsoftonline.com/<tenantidguid>/v2.0/.well-known/openid-configuration",
  clientID: "<clientidguid>",
  issuer: "https://sts.windows.net/<tenantidguid>/",
  loggingLevel: "info",
  passReqToCallback: false
};
const authenticationStrategy = new BearerStrategy(options, (token, done) => {
  return done(null, {}, token);
});

const app = express();
app.use(require("body-parser").urlencoded({ extended: true }));
app.use(passport.initialize());
passport.use(authenticationStrategy);

app.use((req, res, next) => {
  res.header("Access-Control-Allow-Origin", "*");
  res.header(
    "Access-Control-Allow-Headers",
    "Authorization, Origin, X-Requested-With, Content-Type, Accept"
  );
  next();
});

app.get(
  "/secured-api",
  passport.authenticate("oauth-bearer", { session: false }),
  (req, res) => {
    return res.status(200).json({ message: "token is verified" });
  }
);

const port = process.env.PORT || 3000;
app.listen(port, function() {
  console.log("Listening on port " + port);
});