How to use passport-azure-ad - 10 common examples
To help you get started, we’ve selected a few passport-azure-ad examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Azure / platform-chaos-api / src / lib / app.ts View on Github 
})
azureChaos.factory.Logger.configure({
// tslint:disable-next-line
logImpl: console.log
})
azureChaos.factory.AzureAuthenticator.configure({
msRestImpl: require('ms-rest-azure')
})
const proc = azureChaos.factory.RequestProcessor.create()
const registry = azureChaos.factory.ExtensionRegistry.create()
const app = express()
if (opts && opts.isProd) {
// in production, use Bearer Strategy for auth
passport.use(new BearerStrategy({
audience: opts.authAudience,
clientID: opts.authClientId,
identityMetadata: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
issuer: opts.authIssuer,
loggingLevel: 'error'
}, (token, done) => {
done(null, token)
}))
} else {
// if !isProd the test suite is being run so mock authentication
const mockStrategy = new MockStrategy(
(token, done) => {
if (token === constants.MOCK_TOKEN) {
done(null, {})
} else {
done(null, false, { message: 'bad token' })var options = {
identityMetadata: "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration/",
clientID: "85327f73-fd44-46b9-a159-28544ff72288",
validateIssuer: false,
loggingLevel: 'warn',
passReqToCallback: false
};
// Check for client id placeholder
if (options.clientID === 'YOUR_CLIENT_ID') {
console.error("Please update 'options' with the client id (application id) of your application");
return;
}
var bearerStrategy = new BearerStrategy(options,
function (token, done) {
// Send user info using the second argument
done(null, {}, token);
}
);
var app = express();
app.use(morgan('dev'));
app.use(passport.initialize());
passport.use(bearerStrategy);
app.use(function (req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Headers", "Authorization, Origin, X-Requested-With, Content-Type, Accept");
next();}
// ----------------------------------------------------------------------------
// GitHub Passport session setup.
// ----------------------------------------------------------------------------
let githubOptions = {
clientID: githubAppConfiguration.clientId,
clientSecret: githubAppConfiguration.clientSecret,
callbackURL: undefined,
scope: [],
userAgent: 'passport-azure-oss-portal-for-github' // CONSIDER: User agent should be configured.
};
if (githubAppConfiguration.callbackUrl) {
githubOptions.callbackURL = githubAppConfiguration.callbackUrl;
}
let githubPassportStrategy = new GitHubStrategy(githubOptions, githubResponseToSubset.bind(null, app, modernAppInUse));
let aadStrategy = new OIDCStrategy({
redirectUrl: config.activeDirectory.redirectUrl,
allowHttpForRedirectUrl: config.containers.docker || config.webServer.allowHttp,
realm: config.activeDirectory.tenantId,
clientID: config.activeDirectory.clientId,
clientSecret: config.activeDirectory.clientSecret,
oidcIssuer: config.activeDirectory.issuer,
identityMetadata: 'https://login.microsoftonline.com/' + config.activeDirectory.tenantId + '/.well-known/openid-configuration',
responseType: 'id_token code',
responseMode: 'form_post',
validateIssuer: true,
}, activeDirectorySubset.bind(null, app));
// Patching the AAD strategy to intercept a specific state failure message and instead
// of providing a generic failure message, redirecting (HTTP GET) to the callback page
// where we can offer a more useful message
const originalFailWithLog = aadStrategy.failWithLog;let userHash = require('crypto').createHash('sha256').update(password).digest('base64');
if (user.password !== userHash) {
return cb(null, false, { message: 'Incorrect login' });
}
return cb(null, user);
});
}));
if (process.env.AZURE_IDENTITY_METADATA) {
if (strategyConfig.loggingLevel) { log.levels("console", strategyConfig.loggingLevel); }
// Used by ADFS users
passport.use(new OIDCStrategy(strategyConfig,
function (profile, done) {
// Depending on the type of the account e.g. registered in live.com or kainos.com
// user's email may be returned in "unique_name" field instead of "email"
var email = profile._json.email || profile._json.unique_name
if (!email) {
return done(new Error("No email found"), null);
}
process.nextTick(function () {
// ADFS user's username is set to the email used in the authentication process
users.findByUsername(email, function (err, user) {
if (err) {
return done(err);
}
if (!user) {
registerUserUsingProfileData(profile._json, function (err, user) {for (var i = 0, len = users.length; i < len; i++) {
var user = users[i];
log.info('we are using user: ', user);
if (user.email === email) {
return fn(null, user);
}
}
return fn(null, null);
};
// Use the OIDCStrategy within Passport. (Section 2)
//
// Strategies in passport require a `validate` function, which accept
// credentials (in this case, an OpenID identifier), and invoke a callback
// with a user object.
passport.use(new OIDCStrategy({
callbackURL: config.creds.returnURL,
realm: config.creds.realm,
clientID: config.creds.clientID,
clientSecret: config.creds.clientSecret,
oidcIssuer: config.creds.issuer,
identityMetadata: config.creds.identityMetadata,
skipUserProfile: config.creds.skipUserProfile,
responseType: config.creds.responseType,
responseMode: config.creds.responseMode
},
function(iss, sub, profile, accessToken, refreshToken, done) {
if (!profile.email) {
return done(new Error("No email found"), null);
}
// asynchronous verification, for effect...
process.nextTick(function () {//
// Strategies in passport require a `verify` function, which accepts credentials
// (in this case, the `oid` claim in id_token), and invoke a callback to find
// the corresponding user object.
//
// The following are the accepted prototypes for the `verify` function
// (1) function(iss, sub, done)
// (2) function(iss, sub, profile, done)
// (3) function(iss, sub, profile, access_token, refresh_token, done)
// (4) function(iss, sub, profile, access_token, refresh_token, params, done)
// (5) function(iss, sub, profile, jwtClaims, access_token, refresh_token, params, done)
// (6) prototype (1)-(5) with an additional `req` parameter as the first parameter
//
// To do prototype (6), passReqToCallback must be set to true in the config.
//-----------------------------------------------------------------------------
passport.use(new OIDCStrategy({
identityMetadata: config.creds.identityMetadata,
clientID: config.creds.clientID,
responseType: config.creds.responseType,
responseMode: config.creds.responseMode,
redirectUrl: config.creds.redirectUrl,
allowHttpForRedirectUrl: config.creds.allowHttpForRedirectUrl,
clientSecret: config.creds.clientSecret,
validateIssuer: config.creds.validateIssuer,
isB2C: config.creds.isB2C,
issuer: config.creds.issuer,
passReqToCallback: config.creds.passReqToCallback,
scope: config.creds.scope,
loggingLevel: config.creds.loggingLevel,
nonceLifetime: config.creds.nonceLifetime,
nonceMaxAmount: config.creds.nonceMaxAmount,
useCookieInsteadOfSession: config.creds.useCookieInsteadOfSession,//
// Strategies in passport require a `verify` function, which accepts credentials
// (in this case, the `oid` claim in id_token), and invoke a callback to find
// the corresponding user object.
//
// The following are the accepted prototypes for the `verify` function
// (1) function(iss, sub, done)
// (2) function(iss, sub, profile, done)
// (3) function(iss, sub, profile, access_token, refresh_token, done)
// (4) function(iss, sub, profile, access_token, refresh_token, params, done)
// (5) function(iss, sub, profile, jwtClaims, access_token, refresh_token, params, done)
// (6) prototype (1)-(5) with an additional `req` parameter as the first parameter
//
// To do prototype (6), passReqToCallback must be set to true in the config.
// -----------------------------------------------------------------------------
passport.use(new passportAzureAD.OIDCStrategy({
identityMetadata: config.creds.identityMetadata,
clientID: config.creds.clientID,
responseType: config.creds.responseType as typeof OIDCStrategyTemplate.responseType,
responseMode: config.creds.responseMode as typeof OIDCStrategyTemplate.responseMode,
redirectUrl: config.creds.redirectUrl,
allowHttpForRedirectUrl: config.creds.allowHttpForRedirectUrl,
clientSecret: config.creds.clientSecret,
validateIssuer: config.creds.validateIssuer,
isB2C: config.creds.isB2C,
issuer: config.creds.issuer,
passReqToCallback: false,
scope: config.creds.scope,
loggingLevel: config.creds.logLevel as typeof OIDCStrategyTemplate.loggingLevel,
nonceLifetime: config.creds.nonceLifetime,
nonceMaxAmount: config.creds.nonceMaxAmount,
useCookieInsteadOfSession: config.creds.useCookieInsteadOfSession,// Below is an example after you have the key cert pair:
// const https = require('https');
// const certConfig = {
// key: fs.readFileSync('./utils/cert/server.key', 'utf8'),
// cert: fs.readFileSync('./utils/cert/server.crt', 'utf8')
// };
// const server = https.createServer(certConfig, app);
// authentication setup
var callback = function (iss, sub, profile, accessToken, refreshToken, done) {
done(null, {
profile: profile,
accessToken: accessToken,
refreshToken: refreshToken
});
};
passport.use(new OIDCStrategy(config.creds, callback));
var users = {};
passport.serializeUser(function (user, done) {
var id = uuid.v4();
users[id] = user;
done(null, id);
});
passport.deserializeUser(function (id, done) {
var user = users[id];
done(null, user);
});
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'hbs');
app.use(favicon(path.join(__dirname, 'public', 'img', 'favicon.ico')));
app.use(logger('dev'));
app.use(bodyParser.json());//
// Strategies in passport require a `verify` function, which accepts credentials
// (in this case, the `oid` claim in id_token), and invoke a callback to find
// the corresponding user object.
//
// The following are the accepted prototypes for the `verify` function
// (1) function(iss, sub, done)
// (2) function(iss, sub, profile, done)
// (3) function(iss, sub, profile, access_token, refresh_token, done)
// (4) function(iss, sub, profile, access_token, refresh_token, params, done)
// (5) function(iss, sub, profile, jwtClaims, access_token, refresh_token, params, done)
// (6) prototype (1)-(5) with an additional `req` parameter as the first parameter
//
// To do prototype (6), passReqToCallback must be set to true in the config.
//-----------------------------------------------------------------------------
passport.use(new OIDCStrategy({
identityMetadata: config.creds.identityMetadata,
clientID: config.creds.clientID,
responseType: config.creds.responseType,
responseMode: config.creds.responseMode,
redirectUrl: config.creds.redirectUrl,
allowHttpForRedirectUrl: config.creds.allowHttpForRedirectUrl,
clientSecret: config.creds.clientSecret,
validateIssuer: config.creds.validateIssuer,
isB2C: config.creds.isB2C,
issuer: config.creds.issuer,
passReqToCallback: config.creds.passReqToCallback,
scope: config.creds.scope,
loggingLevel: config.creds.loggingLevel,
nonceLifetime: config.creds.nonceLifetime,
nonceMaxAmount: config.creds.nonceMaxAmount,
useCookieInsteadOfSession: config.creds.useCookieInsteadOfSession,var tenantID = tenantName + ".onmicrosoft.com";
var clientID = "25eef6e4-c905-4a07-8eb4-0d08d5df8b3f";
var policyName = "B2C_1_SUSI";
var domain = tenantName + ".b2clogin.com"
var options = {
identityMetadata: "https://" + domain + "/" + tenantID + "/v2.0/.well-known/openid-configuration/",
clientID: clientID,
policyName: policyName,
isB2C: true,
validateIssuer: true,
loggingLevel: 'info',
passReqToCallback: false
};
var bearerStrategy = new BearerStrategy(options,
function (token, done) {
// Send user info using the second argument
done(null, {}, token);
}
);
var app = express();
app.use(morgan('dev'));
app.use(passport.initialize());
passport.use(bearerStrategy);
app.use(function (req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Headers", "Authorization, Origin, X-Requested-With, Content-Type, Accept");
next();passport-azure-ad
OIDC and Bearer Passport strategies for Azure Active Directory
