Azure AD authentication for node.js REST endpoint with Service Principal and Secret

1
votes

I'm trying to call a REST API which is protected by AzureAD authentication. From Postman REST client it works like, https://example.com/getexample Header: Authorization: Bearer . This works great if i get token of the user interactively(example device_code or MFA).

As i wanted to run code Non Interactively, i'm trying to authenticate the REST endpoint by service principal.

The REST server is built in nodejs with azure-passport node.js package.

I have created Service Principal(Native app) and secret for the same. I was able to get access_token from this package as well as below curl command

curl -X POST -d 'grant_type=client_credentials&client_id=[client id]&client_secret=[client secret]&resource=[client id of the server]' https://login.microsoftonline.com/[tenant]/oauth2/token

But if i pass this generated token to REST endpoint i get 401.

Please help how to authenticate a custom REST endpoint with service principal and secret.

Below is the configuration details i have done for service principal(server and client)

Server SP(node.js app) Create Service Principal, added User.Read API permission. Admin Granted the API permission. Created a custom scope(API.Access) under "Expose an API" and selected "Admin and User" can grant. In node.js application i'm using only user.read scope

Client SP(Postman) Created Service Principal, added Server SP(Customer scope) under API permission Used curl command to get access token without passing any scope.

1
node.jsazurerestazure-active-directory
Have you granted the web api permission to your client app?Tony Ju
I have updated question with more details regarding service principal configurationsharath
I'm something wrong on scope side. Do i need to add custom scope in node.js app? and while requesting access token using CURL? @CaiyiJu Please helpsharath
I'll try today and update here.sharath
I'm waiting for my admin to Grant the permission :). It's not easy to catch Azure admin's.sharath

1 Answers

1
votes

To run code Non Interactively, the way you used to get access token is client credential flow which needs application permission. Here is the difference between delegated permission and application permission.

You can define the application permission by edit the manifest of server app.

enter image description here

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Apps that have this role have the ability to invoke my API",
            "displayName": "Can invoke my API",
            "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "myTestRole"
        }
    ]

Then your client app can add the application permissions(from your server app).

enter image description here