Node JS auth request validation

[jennyf19]

Node JS validation replacement for passport.js

Dear Node JS customers,

We understand that many of you have been frustrated by the lack of a replacement for this deprecated passport.js library. We want you to know that we hear your concerns and are actively working on a solution. In the meantime, we want to assure you that we haven't forgotten about you. Auth validation is very complicated and hard to get right. For this reason, we will leverage Microsoft.IdentityModel, which has a proven track record over many years, and is hitting impressive perf metrics with the latest improvements in IdentityModel 7x on .NET 8, making Ahead of Time (AOT) comparable with non-AOT, especially in terms of request per second, which is very promising for our goal of covering all services, regardless of language with Microsoft.IdentityModel.

We are experimenting with a simple wrapper over a shared library in Node JS that will allow you to continue using the Microsoft identity platforms. This wrapper is currently only available to internal Microsoft services, but we're working hard to make it available to all of our customers as soon as possible. Thank you for your patience and understanding as we work to improve our offerings. We'll keep you updated as we make progress on this front. Please provide us with your feedback/questions/concerns as we go through this process together.

[mdodge-ecgrow]

Thank you for the update.
So just to clarify, at this time we should continue to use the Microsoft Azure Active Directory Passport.js Plug-In until this new Identity Model wrapper is finished?

[jennyf19]

The passport.js plug-in was deprecated before a replacement was created. It is no longer maintained and not receiving security updates/fixes.
We will post here any updates on the wrapper and as soon as we have something you can try, we will definitely let you know.

[CrazyBaran]

@jennyf19 3 weeks pass and still nothing about @azure/node-token-validation? Is it not even possible to share some under development package?

[CrazyBaran]

@jennyf19 Something new in topic of replacement?

[anthonyhoegberg]

Any news here?

[renanbatel]

Never would expect from MS to deprecated a library before creating a replacement, unbelievable

[lucassith]

Really? In my development team, everyone agrees that Microsoft is the first element to fail. Whether it's source code, the cloud, or tools, it's always in the microsoft realm where something fails.

[mccolljr]

Has there been any progress on this front?

[mccolljr]

Also - although this will be like talking to a brick wall, you said:

Please provide us with your feedback/questions/concerns as we go through this process together

The fact that there have been 6 months of dead air in this discussion indicates that we are not in any way "going through this process together".

[lucassith]

Of course not, they deprectated passport.js extensions simply because they don't want to maintain it anymore and they don't care.

Pure Microsoft's thinking.

[ethanherbertson]

Does anyone have a link to an explanation of why this package was deprecated? Like, are there known vulnerabilities? Or is it just deprecated because it's abandonware and it therefore should not be trusted?

[ethanherbertson]

Update: As near as I can tell, as of this writing, there are not any known (or disclosed) vulnerabilities. But with such limited communication from the former maintainers it's not something that can be easily confirmed.

[ethanherbertson]

It seems like a very bad break from best practices to "deprecate" a node module without actually deprecating it in npm, especially when it's still being downloaded ~150k a week.

[ethanherbertson]

Probably also should be deprecated or removed from the PassportJS website's list of strategies, too.

[ethanherbertson]

It is especially bad in this case, because it's not even clear (to outsiders, at least) what the canonical repository even is for pasport-azure-ad at this point.

NPM & package.json both reference AzureAD/microsoft-authentication-library-for-js as the repo, but that project does not contain the source code on its default branch—and the branches I've found that do contain the source code there do not contain the README "deprecation notice".

Finding AzureAD/passport-azure-ad—which is what I currently assume to be canonical—is not exactly difficult via Google or GitHub searches, but without the direct links that are most trusted by the users I don't know how many people would actually do so.

Meanwhile, this discussion thread, linked to by the notice, is in a third repository. As an outsider I don't understand how this repository even relates to the other two, except that presumably it is (was?) a handy high-traffic project by the same group of developers, that they were assuming would be the place where they would eventually release the replacement.

[ethanherbertson]

If MS doesn't want to support the module, @jennyf19, would they be willing to hand over control to the community that's still relying on it? Without a public timeline or at least limited support for security updates, the only responsible thing for the userbase to do is to abandon the use of the module, and pivot to either a different language or a different identity platform altogether... but at the moment they're not even being informed of the deprecation in the first place.

Meanwhile, are there any other devs/contributors who could answer some of these questions? I don't really want to just randomly @ people but I feel somewhat duty-bound to do something in the name of all those many thousands of downloaders who have not and will not notice that they're using an unsupported & "deprecated" security module. This isn't how you OSS.

[ethanherbertson]

Occurred to me that this particular concern is perhaps better addressed via an issue, so I filed one. (#2847)

[mccolljr]

@jennyf19 are you or anyone else able to speak to progress that has been made?

[mccolljr]

@jennyf19 bumping this - can we get any sort of update here?

[RomanKonopelkoVoypost]

@jennyf19 Randomly seeing the npm package of passport-azure-ad as deprecated killed me. I see that this message hangs for one year almost. So, is there any updates? And what is the current solution for the developers that has been using passport-azure-ad until getting surprised by npm deprecate warning?

[zWaR]

@RomanKonopelkoVoypost @jennyf19 I wonder the same. I found this: https://github.com/AzureAD/microsoft-authentication-library-for-js However, I haven't used it. I wonder if that's meant to be the replacement and if so, how does the migration to it look like?

[ethanherbertson]

@zWaR That library (aka MSAL.js) is still supported, but it's the library for acquiring tokens from Azure AD (aka "Entra ID"). This library was designed to actually validating those tokens, for example as part of the backend application that the user's client passes the tokens to after acquisition.

(EDIT: Just noticed jdthorpe's comment below. Threading is hard!)

[jdthorpe]

Nope. `MSAL.js` is for acquiring tokens. `passport-azure-ad` was for validating them.

…

On Wed, Jul 24, 2024 at 8:30 AM zWaR ***@***.***> wrote: @RomanKonopelkoVoypost <https://github.com/RomanKonopelkoVoypost> @jennyf19 <https://github.com/jennyf19> I wonder the same. I found this: https://github.com/AzureAD/microsoft-authentication-library-for-js However, I haven't used it. I wonder if that's meant to be the replacement and if so, how does the migration to it look like? — Reply to this email directly, view it on GitHub <#2405 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACTMQBLJZKIQ67Q4I2L6W3DZN7CALAVCNFSM6AAAAAA4B3HQLWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMJTHE2TEOI> . You are receiving this because you commented.Message ID: <AzureAD/microsoft-identity-web/repo-discussions/2405/comments/10139529@ github.com>

[sungyan]

A year has passed and there is no news.
I can't believe that this is microsoft's service

[kdarakji]

My friends any news on that?

[ssahillppatell]

Still looking for the promised simple wrapper (╥﹏╥)

[tobiasgrossmann]

We are waiting :-)

[Inaruslynx]

We could potentially use passport-oauth2, correct? It would be more involved, but is there any reason this wouldn't be a valid solution?

[ethanherbertson]

Depends on which strategy you're using this library with/for, I think. If you're using the Bearer strat, then it's plausible, but still not ideal. You'd end up doing extra config—and maybe some actual coding—to get it to work. At a certain point that custom work wipes-out some of the benefits of using a library with active support. Might still be the best option, though.

[DanielOverdevestPZH]

@jennyf19 any update on this?

[invaderb]

over a yeah and no update might be a lost cause at this point :( typical MS

[Hatko]

Has it been abandoned? We are experimenting with integrating MS AD into our NodeJS app, but it proves to be a struggle at every step

[michaelparkadze]

Seems to be abandoned and no news about the future..

[chdeliens]

Hi everyone,

Since the passport-azure-ad package is deprecated and no longer maintained, I did some research and found an alternative for securing our NodeJS applications with Azure AD authentication: the Microsoft Authentication Library (MSAL).

It provides secure access to Microsoft services and APIs using OAuth 2.0 and OpenID Connect standards, and it’s actively maintained by Microsoft.

Implementation steps

1. Set Up Your Azure AD Application

1. Register Your Application in Azure AD:

   • Go to the Azure Portal.
   • Navigate to Azure Active Directory > App registrations > New registration.
   • Enter a name for your application.
   • Set the Redirect URI to http://localhost:3000/auth/redirect (adjust based on your app’s domain and callback endpoint).
   • Choose Single-tenant or Multi-tenant based on your needs.
   • Click Register.

2. Configure Authentication Settings:

   • Under Authentication, set the Redirect URIs to match your redirect endpoint.
   • Set the Implicit grant and hybrid flows section to allow ID tokens.

3. Create a Client Secret:

   • Under Certificates & secrets, create a new client secret. Save this value; you’ll need it for the MSAL configuration.

2. Install MSAL Node Package

Install the MSAL Node package in your NodeJS project:

npm install @azure/msal-node express-session

3. Set Up MSAL in Your NodeJS App

Sample Code for NodeJS Authentication with MSAL

Not suitable for production usage, only for developement/experimentation purposes
Below is a setup to authenticate users with Azure AD, manage sessions, and protect routes:

// server.js
const express = require('express');
const session = require('express-session');
const { ConfidentialClientApplication } = require('@azure/msal-node');

const app = express();
const PORT = process.env.PORT || 3000;

// MSAL configuration
const msalConfig = {
  auth: {
    clientId: process.env.OAUTH2_CLIENT_ID,
    authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`, // Tenant ID or common for multi-tenant
    clientSecret: process.env.OAUTH2_CLIENT_SECRET,
  },
};

const msalClient = new ConfidentialClientApplication(msalConfig);

// Configure session middleware
app.use(
  session({
    secret: process.env.SESSION_SECRET_KEY || 'default_secret',
    resave: false,
    saveUninitialized: false,
    cookie: { secure: false }, // Set to true if using HTTPS
  })
);

// Login route - redirects to Azure AD for authentication
app.get('/login', (req, res) => {
  const authCodeUrlParameters = {
    scopes: ['user.read'],
    redirectUri: 'http://localhost:3000/auth/redirect', // Adjust the redirect URI
  };

  // Redirect to Microsoft login page
  msalClient.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
    res.redirect(response);
  }).catch((error) => {
    console.error('Error generating auth code URL:', error);
    res.status(500).send('Error during login');
  });
});

// Callback route - handles Azure AD redirect with authorization code
app.get('/auth/redirect', (req, res) => {
  const tokenRequest = {
    code: req.query.code, // Authorization code from query params
    scopes: ['user.read'],
    redirectUri: 'http://localhost:3000/auth/redirect', // Must match exactly with Azure AD config
  };

  // Exchange authorization code for tokens
  msalClient.acquireTokenByCode(tokenRequest).then((response) => {
    req.session.user = {
      username: response.account.username,
      name: response.account.name,
      idToken: response.idToken,
    };
    res.redirect('/profile');
  }).catch((error) => {
    console.error('Error acquiring token by code:', error);
    res.status(500).send('Error during token acquisition');
  });
});

// Protected route example
app.get('/profile', (req, res) => {
  if (!req.session.user) {
    return res.redirect('/login');
  }
  res.send(`Welcome, ${req.session.user.name}`);
});

// Logout route
app.get('/logout', (req, res) => {
  req.session.destroy((err) => {
    if (err) {
      console.error('Error during logout:', err);
      return res.status(500).send('Error during logout');
    }
    res.redirect('/');
  });
});

app.listen(PORT, () => {
  console.log(`Server is running on http://localhost:${PORT}`);
});

Explanation of Key Components

1. MSAL Configuration:

   • The MSAL configuration (msalConfig) specifies your Azure AD tenant, client ID, and client secret.

2. Login and Redirect Handling:

   • /login Route: Redirects the user to Azure AD for authentication.
   • /auth/redirect Route: Handles the callback from Azure AD, exchanges the authorization code for tokens, and stores user information in the session.

3. Protected Routes:

   • Example protected route (/profile) checks for session data to verify the user is authenticated.

4. Session Management:

   • Session middleware (express-session) is used to manage user sessions and handle authentication state.

Advantages of Using MSAL

• Actively Maintained: MSAL is actively maintained by Microsoft, ensuring security updates and compatibility with the latest Azure AD features.
• Robust Security: Supports modern authentication flows, including OAuth 2.0 and OpenID Connect.
• Scalable and Configurable: Easily handles multi-tenant scenarios and complex authentication requirements.

Final Steps

1. Set Up Environment Variables:

   • Ensure that you have configured the necessary environment variables:
     • OAUTH2_CLIENT_ID
     • OAUTH2_CLIENT_SECRET
     • TENANT_ID
     • SESSION_SECRET_KEY

2. Test the Application:

   • Run your NodeJS application, navigate to /login, and test the authentication flow.

It worked for me ;) Hope this helps!!!

[jdthorpe]

@chdeliens I think you misunderstand the purpose of the passport.js library, which is to validate auth tokens. Your code sample uses a client secret to acquire an auth token but nowhere in your code have you validated it.

[ethanherbertson]

Agreed with @jdthorpe . The pattern you show is able to secure an app, but will not be a viable workaround for (most) people who were previously relying on the passport-azure-ad module.

[chdeliens]

Indeed. For my more straightforward (and internal) use case, that worked.

Unless I misunderstood what you said, you want to validate the JWT.

JWTs emitted by Microsoft are signed with their private keys, and Microsoft publishes their public keys to verify signatures.
It's not a Microsoft-specific thing.

The JWKS (containing all public keys) is exposed through their OIDC.

Using any generic JWT library will help you quickly validate the access and ID tokens.

[DanielOverdevestPZH]

Dear community,

I have found a "drop-in replacement" for the deprecated passport-azure-ad. The replacement utilizes the passport-jwt and jwks-rsa packages.

• passport-jwt serves as the middleware replacement.
• jwks-rsa handles the validation of the Bearer token with public signed keys from Microsoft.

This solution supports the Bearer token approach of passport-azure-ad, but does not support the OIDC approach.

Here is the code before the replacement:

const { BearerStrategy } = require('passport-azure-ad');

const tenantId = process.env.AD_APPLICATION_TENANT_ID;
const clientId = process.env.AD_APPLICATION_CLIENT_ID;
const identityMetadata = `https://login.microsoftonline.com/${tenantId}/v2.0/.well-known/openid-configuration`;
const issuer = `https://login.microsoftonline.com/${tenantId}/v2.0`;

const options = {
  identityMetadata: identityMetadata,
  clientID: clientId,
  validateIssuer: true,
  issuer: issuer,
};

async function verifyCallBack(token, done) {
  // do some stuff
  return done(null, token, token);
}

const bearerStrategy = new BearerStrategy(options, verifyCallBack);

module.exports = {
  bearerStrategy
};

And here is the new "drop-in replacement" code:

const { Strategy, ExtractJwt } = require('passport-jwt');
const jwksRsa = require('jwks-rsa');

// The tenant ID is the Azure AD tenant ID. The client ID is the application ID of the app registration.
const tenantId = process.env.AD_APPLICATION_TENANT_ID;
const clientId = process.env.AD_APPLICATION_CLIENT_ID;

// This is the URL where the public keys for the tenant are stored.
const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`;

// This issuer and audience are used for API scope with MSAL
const issuer1 = `https://sts.windows.net/${tenantId}/`;
const audience1 = `api://${clientId}`;

// This issuer and audience are used if authentication is enabled on App Service with token cache.
const issuer2 = `https://login.microsoftonline.com/${tenantId}/v2.0`;
const audience2 = `${clientId}`;

// The options for the JWT strategy
const options = {
  jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
  audience: [audience1, audience2],
  issuer: [issuer1, issuer2],
  algorithms: ['RS256'],
  secretOrKeyProvider: jwksRsa.passportJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: jwksUri,
  }),
};

// This function is called when the token is verified
async function verifyCallBack(token, done) {
  // do something with the token
  return done(null, token);
}

const bearerStrategy = new Strategy(options, verifyCallBack);

module.exports = { bearerStrategy };

This replacement should help anyone who still needs the Bearer token validation functionality after passport-azure-ad's deprecation.