Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Store MSAL logged-in users and precheck them before doing a request on node.js web app
See original GitHub issueLibrary
-
msal@1.x.xor@azure/msal@1.x.x -
@azure/msal-browser@2.x.x -
@azure/msal-node@1.0.0 -
@azure/msal-react@1.x.x -
@azure/msal-angular@0.x.x -
@azure/msal-angular@1.x.x -
@azure/msal-angular@2.x.x -
@azure/msal-angularjs@1.x.x
Description
In my node project I have the following basic code to connect to Azure via a token. The login/logout works great together with our Azure:
const express = require("express");
const msal = require('@azure/msal-node');
const SERVER_PORT = process.env.PORT || 3000;
const config = {
auth: {
clientId: "XXX",
authority: "https://login.microsoftonline.com/common",
clientSecret: "XXX"
},
system: {
loggerOptions: {
loggerCallback(loglevel, message, containsPii) {
console.log(message);
},
piiLoggingEnabled: false,
logLevel: msal.LogLevel.Verbose,
}
}
};
const pca = new msal.ConfidentialClientApplication(config);
const app = express();
app.get('/', (req, res) => {
res.send("<a href=\"login\">Login</a> <a href=\"logout\">Logout</a>");
});
app.get('/dashboard', (req, res) => {
// check here for valid token...
});
app.get('/login', (req, res) => {
const authCodeUrlParameters = {
scopes: ["user.read"],
redirectUri: "http://localhost:3000/redirect",
};
pca.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
res.redirect(response);
}).catch((error) => console.log(JSON.stringify(error)));
});
app.get('/logout', (req, res) => {
res.redirect('https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=http://localhost:3000/');
});
app.get('/redirect', (req, res) => {
const tokenRequest = {
code: req.query.code,
scopes: ["user.read"],
redirectUri: "http://localhost:3000/redirect",
};
pca.acquireTokenByCode(tokenRequest).then((response) => {
console.log("\nResponse: \n:", response);
res.sendStatus(200);
}).catch((error) => {
console.log(error);
res.status(500).send(error);
});
});
app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`))
But how to properly check after that logging in if the token is still valid?
So the question is, how can I be save that the user on /dashboard has still a valid token or is logged in?
app.get('/dashboard', (req, res) => {
// check here for valid token...
});
At the end I need a node.js application that:
- is safe (token-based and secrets stay on the node.js server)
- user only logs in once until he logout on its own
- has user auth (msal)
- can give granular permissions on routes
Can I do all that in node.js or better doing that in client-side? But am I then reducing the security? Or do I even need an extention like this https://www.npmjs.com/package/@azure/msal-node-extensions and https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/extensions/samples/msal-node-extensions/index.js?
Source
- Internal (Microsoft)
- Customer request
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I search a bit around and found out that I need to set App to Public
and now it directly worked out
I did not know this. And this should should definitely be better communicated in the docs. Maybe this solves all my issues. I am testing.
Ok so testing the silent-flow was a good idea. It works great. So there has been a bad setup when I tested it in the past or that Public setting was the reason.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/standalone-samples/silent-flow
This works with the
PublicClientApplicationandacquireTokenSilentworks also as expected.Anyway the documentation needs to be extended. Because this setup is the best for many web applications but I just found it now after weeks. So making it more prominent would help.