passport-azure-ad veriy msal.js token with Bearer Strategy

7
votes

Im trying to integrate msal.js library(https://github.com/AzureAD/microsoft-authentication-library-for-js) with passport-azure-ad (https://github.com/AzureAD/passport-azure-ad) Bearer Strategy.

My configurations are as follows: Msal.js

{
    authority: 'https://login.microsoftonline.com/<tennant>',
    clientID: '<clientId>',
    graphScopes: ['user.read', 'Group.Read.All'],
};

passport-azure-ad

const config = {
    identityMetadata: 'https://login.microsoftonline.com/<tennant>/v2.0/.well-known/openid-configuration',

    clientID: '<clientId>',

    validateIssuer: false,

    passReqToCallback: false,

    issuer: 'https://login.microsoftonline.com/<tennant>/v2.0',

    audience: '<clientId>',

    allowMultiAudiencesInToken: false,

    loggingLevel:'info',
    loggingNoPII: false,
};

On the frontend i get through login flow and auire token using 

const token = await this.userAgentApplication.acquireTokenSilent(applicationConfig.graphScopes);

Then I make request to endpoint protected by passport-azure-ad Bearer Strategy and get 

authentication failed due to: In Strategy.prototype.jwtVerify: cannot verify token

I also did logging inside library and it says:

Error: invalid signature

My decoded token looks as follows:

{ header:
   { typ: 'JWT',
     nonce:
      'AQABAAAAAACEfexXxjamQb3OeGQ4GugvOOGFjNwsJMp-y1sPJ254AB4C4gW4sb4kOObzC5BvMpBM-89S8Ri5UvHxPIjpp9ZW408ZgJKLzb2hRWXkib2b7yAA',
     alg: 'RS256',
     x5t: '-sxMJMLCIDWMTPvZyJ6tx-CDxw0',
     kid: '-sxMJMLCIDWMTPvZyJ6tx-CDxw0' },
  payload:
   { aud: 'https://graph.microsoft.com',
     iss:
      'https://sts.windows.net/<tennant>/',
     iat: 1551307920,
     nbf: 1551307920,
     exp: 1551311820,
     acct: 0,
     acr: '1',
     aio:
      'AVQAq/8KAAAANG+ugC3cVRBXWggnndtZk1eOw/7cZL5v0UopZHUGmDTborxAC+z02Y1OKRCrhT7M6YjUnziw5swFdEokTPT7GGWXIcazJpS+O/NQdQU3TqI=',
     amr: [ 'pwd', 'mfa' ],
     app_displayname: '<app_name>',
     appid: '<app_id>',
     appidacr: '0',
     family_name: 'Doe',
     given_name: 'John',
     ipaddr: '127.0.0.1',
     name: 'John, Doe',
     oid: '<user_id>',
     onprem_sid: 'S-1-5-21-3948687051-3486659006-1268634143-1873835',
     platf: '14',
     puid: '10030000AA097172',
     scp: 'Group.Read.All Mail.Send openid profile User.Read email',
     sub: 'Q_fJMajGxqk9S6ggyDN6IGunN_aIhsWhnvLPQIxlT5Q',
     tid: '<tennant>',
     unique_name: 'John Doe',
     upn: '[email protected]',
     uti: 'Cwf6-Fmm-EGXjPDh_iEHAA',
     ver: '1.0',
     xms_st: { sub: 'XTqgFukoz-mbW2mjPHiJoWqhRQZ_SKUIdHRaitfM3co' },
     xms_tcdt: 1386664440 },
  signature:
   'pg6MiFrvJ3oimdCrnWKsf_DEth7RULJpmMH0P3Z-DtK4CO2865TxrnCaGwnkpXrcgokxDgmk3d5cOi-Y5tAlxx87Yd_KcBITq_M3lQM8aUeXPire4bqYG8OKgkvpHRVgYumaMgaHlm1w7FZjSq4lnGn919VVucqe4rkyxvQlyxWLxG4lfUC2RD5ighhg0GeEwQkkl2Y5YManCn96b-8vTkXHE__VxHJXwBJpesDK2KtzCmuEcM8yg4zyvxuY_GDs2lGWdza-ELSMTXxce3RfzUaLAnNt3dMYkN-2wmROB5TuRMafY7D8FCEd-RmtxC1_-ASE-AEwafA9JxLl4j0Ikw' }

I tried to integrate with adal.js(https://github.com/AzureAD/azure-activedirectory-library-for-js) and succeded, but I can't use token it gives me to call graph api on behalf of user(https://docs.microsoft.com/en-us/graph/auth-v2-user).

I also tried to use client id token which I get from localStorage 

const idToken = localStorage.getItem(Constants.idTokenKey);

It works for a while, but this idToken isn't refresed when I call getTokenSilent, so it stops working after some time.

I'm preety much confused what should I do now so any help would be greatly appreciated!

3
node.jsadalmsalpassport-azure-ad

3 Answers

1
votes

Did anyone fix this in the end?

I had exactly the same error. For me it was a config issue, specifically at the client MSAL end and scopes. I was trying to communicate with a custom WebAPI and I was passing the wrong scopes. This solved my issue:

'Invalid Signature' error for Access Token (azure active directory / msal js)

Hopefully this helps someone.

Thanks

0
votes

According to above code snippet, you are using issuer as v2.0

config.issuer: 'https://login.microsoftonline.com//v2.0'

But in jwt token, you are getting iss: 'https://sts.windows.net//'. Config and jwt token Issuers are not matching. So jwt token will not verify.

And also config.Audience value is clientid but in token you are getting aud: 'https://graph.microsoft.com'.

So can you change these two things issuer as https://sts.windows.net// and audience value as https://graph.microsoft.com in config and check whether you are getting response or not.

0
votes

I had similar issue too and I got it working.

In my case, I'm using web(msal) and android(ionic - msadal), both, to generate token and get it verified using node(passport). The major issue is, passport expects v2 access token while you get v1 using your msal/msadal.

You can make it rectified by passing:

https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

in authority uri (msal/msadal) and identityMetadata (passport)

and, setting:

"accessTokenAcceptedVersion": 2, instead of null, in azure portal > app registrations > your app > manifest.