Redirect to redirectURL passport-azure-ad OIDCStrategy

1
votes

I'm trying to make a login via the Azure AD Passport.js OIDCStrategy. I've used the next two pages (besides Google and looking into questions here on stackoverflow) as resources the most so far:

I have the following questions as I also want to extend my knowledge aroun passport.js and the Azure AD strategy:

  1. When I go to /auth/AzureAD, I'm redirected to the https://login.microsoftonline.com/ login form. However, when I enter valid login credentials, I'm redirected to the redirectUrl. What am I doing wrong?
  2. Should there also be a router.post for /auth/AzureAD/callback and if so, why?
  3. For other passport.js strategies (google and local) we needed to store some details into our MongoDB. Shouldn't this also be done for the Azure AD strategy and if so which details?
  4. When do you use the BearerStrategy instead of the OIDCStrategy?

I'm quite sure I've configured identityMetadata and ClientID in the right way. I'm not sharing this info as I'm not sure I've that's the right thing to do.

Many thanks already if you can help me move into the right direction!!!

passport.js

const passport = require('passport');
const OIDCStrategy = require('passport-azure-ad').OIDCStrategy
const mongoose = require('mongoose');
const User = require('../Models/User');

  passport.use(
    new OIDCStrategy(
      {
        identityMetadata: 'https://login.microsoftonline.com/XXX.onmicrosoft.com/v2.0/.well-known/openid-configuration',
        clientID: 'XXX',
        responseType: 'code id_token',
        responseMode: 'form_post',
        redirectUrl: 'http://localhost:3000/auth/AzureAD/callback',
        allowHttpForRedirectUrl: true,
        clientSecret: 'XXX',
        validateIssuer: false,
        isB2C: false,
        issuer: null,
        passReqToCallback: false,
        scope: ['profile', 'offline_access'],
        loggingLevel: 'info',
        nonceLifetime: null,
        nonceMaxAmount: 6,
        clockSkew: 300,
          },
  function(iss, sub, profile, accessToken, refreshToken, done) {
    if (!profile.oid) {
      return done(new Error("No oid found"), null);
    }
    // asynchronous verification, for effect...
    process.nextTick(function () {
      findByOid(profile.oid, function(err, user) {
        if (err) {
          return done(err);
        }
        if (!user) {
          // "Auto-registration"
          users.push(profile);
          return done(null, profile);
        }
        return done(null, user);
      });
    });
  }
));

app.js

//Passport middleware - Express Session
  session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    store: new MongoStore({ mongooseConnection: mongoose.connection, collection: 'sessions' }),
  })

app.use(passport.initialize());
app.use(passport.session());

auth.js

const express = require('express')
const passport = require('passport')
const router = express.Router()

// @desc    Auth with Google
// @route   GET /auth/AzureAD
router.get('/AzureAD', passport.authenticate("azuread-openidconnect", { scope: ['profile'] }))

// @desc    AzureAD auth callback
// @route   GET /auth/AzureAD/callback
router.get(
  '/AzureAD/callback',
  passport.authenticate("azuread-openidconnect", { failureRedirect: '/login' }),
  (req, res) => {
    res.redirect('/')
  }
)

login.ejs

<div class="section">
    <a href="/auth/AzureAD" class="btn red darken-1">
        <i class="fab fa-microsoft"></i> Log In With Azure
    </a>
</div>
1
node.jsazurepassport.jspassport-azure-ad

1 Answers

1
votes
  1. This is expected behavior.
  2. Yes, since you're setting the responseMode to form_post.
  3. There's no need.
  4. User OIDCStrategy to redirect the user to the Azure AD login form and if get an id token on successful login. Use BearerStrategy to validate an access token attached to a HTTP request.