Passport strategy for authenticating with Azure OAuth 2.0 API.
This module lets you authenticate using Azure in your Node.js applications. By plugging into Passport, Azure / Office 365 authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
$ npm install passport-azure-oauth
The Azure authentication strategy authenticates users using a Azure / Microsoft Office 365
account using OAuth 2.0. The strategy requires a
verify callback, which
accepts these credentials and calls
done providing a user, as well as
options specifying a client ID, client secret, tenant id, resource and redirect URL.
passport.use(new AzureOAuthStrategy({
clientId : AzureOAuth_ClientId,
clientSecret: AzureOAuth_ClientSecret, tenantId : AzureOAuth_AppTenantId, resource : AzureOAuth_AuthResource, redirectURL : AzureOAuth_RedirectURL, user : : AzureOAuth_User, proxy : { host : 'myProxyHost', port : 'myProxyPort', protocol : 'https' // http / https } }, function(accessToken, refreshToken, profile, done) { return done(err, user); } ));
Azure-OAuth creates a dynamic redirect URL with the given parameters and provides it to Azure.
Azure throws an "invalid grant" error if the redirect URL of the orgin request and the callback request redirect URL are different.
* the redirect URL is the same url as you configured in the Azure-AD configuration
* you pass the same parameters to the origin request and to the callback request.
All parameters given in the new AzureOAuthStrategy({ }) will be passed to your redirectURL.
E.g
The callback url looks like <br>
"redirectURL + '?redirectUrl=' + redirectUrl + "&" + myParameter="Im a parameter"
When your app grants multiple permissions for different API's, you can leave the "resource" parameter empty. When its empty, the Office 365 Discovery Service will be invoked to get all available endpoints with accesstokens for the authenticated user.
After a successful authentication, the user object contains a additional object called "endpoints":
{
"username": "demo@xyz.de",
"displayname": "Demo User",
"endpoints": {
"RootSite@O365_SHAREPOINT": {
"accessToken": "eyJ0eXA...myzA",
"serviceName": "Office 365 SharePoint",
"serviceEndpointUri": "https://XYZ.sharepoint.com/_api"
},
"MyFiles@O365_SHAREPOINT": {
"accessToken": "eyJ0eXA...myzA",
"serviceName": "Office 365 SharePoint",
"serviceEndpointUri": "https://XYZ-my.sharepoint.com/_api/v1.0/me"
},
"Directory@AZURE": {
"accessToken": "eyJ0eXA...myzA",
"serviceName": "Microsoft Azure",
"serviceEndpointUri": "https://graph.windows.net/XYZ.onmicrosoft.com/"
}
},
"accessToken": "eyJ0eXA...myzA",
"accessTokenExpirationTime": 1438931641638,
"refreshToken": "eyJ0eXA...myzA",
"refreshTokenExpirationTime": 1454832805638,
}
The normal "accessToken" and "refreshToken" are mapped to the resourceId "https://api.office.com/discovery/", so please use the accessTokens from the "endpoints" object.
All Tokens expire in 1 hour, so when the refresh is called all endpoint tokens are refreshed too!
Use
passport.authenticate(), specifying the
'azureOAuth' strategy, to
authenticate requests.
For example, as route middleware in an Express application:
app.get('/auth/azureOAuth',
passport.authenticate('azureOAuth', {
failureRedirect: '/login'
}),
function(req, res){
// The request will be redirected to SharePoint for authentication, so
// this function will not be called.
});
app.get('/auth/azureOAuth/callback',
passport.authenticate('azureOAuth', {
failureRedirect: '/login'
// refreshToken: azureOAuth_RefreshToken
}),
function(req, res) {
// Successful authentication, redirect home.
res.redirect('/');
});
