Replies: 23 comments 16 replies
-
Thank you for the update. |
Beta Was this translation helpful? Give feedback.
-
@jennyf19 3 weeks pass and still nothing about @azure/node-token-validation? Is it not even possible to share some under development package? |
Beta Was this translation helpful? Give feedback.
-
@jennyf19 Something new in topic of replacement? |
Beta Was this translation helpful? Give feedback.
-
Any news here? |
Beta Was this translation helpful? Give feedback.
-
Never would expect from MS to deprecated a library before creating a replacement, unbelievable |
Beta Was this translation helpful? Give feedback.
-
Has there been any progress on this front? |
Beta Was this translation helpful? Give feedback.
-
Also - although this will be like talking to a brick wall, you said:
The fact that there have been 6 months of dead air in this discussion indicates that we are not in any way "going through this process together". |
Beta Was this translation helpful? Give feedback.
-
Does anyone have a link to an explanation of why this package was deprecated? Like, are there known vulnerabilities? Or is it just deprecated because it's abandonware and it therefore should not be trusted? |
Beta Was this translation helpful? Give feedback.
-
It seems like a very bad break from best practices to "deprecate" a node module without actually deprecating it in npm, especially when it's still being downloaded ~150k a week. |
Beta Was this translation helpful? Give feedback.
-
@jennyf19 are you or anyone else able to speak to progress that has been made? |
Beta Was this translation helpful? Give feedback.
-
@jennyf19 Randomly seeing the npm package of passport-azure-ad as deprecated killed me. I see that this message hangs for one year almost. So, is there any updates? And what is the current solution for the developers that has been using passport-azure-ad until getting surprised by npm deprecate warning? |
Beta Was this translation helpful? Give feedback.
-
Nope. `MSAL.js` is for acquiring tokens. `passport-azure-ad` was for
validating them.
…On Wed, Jul 24, 2024 at 8:30 AM zWaR ***@***.***> wrote:
@RomanKonopelkoVoypost <https://github.com/RomanKonopelkoVoypost>
@jennyf19 <https://github.com/jennyf19> I wonder the same. I found this:
https://github.com/AzureAD/microsoft-authentication-library-for-js
However, I haven't used it. I wonder if that's meant to be the replacement
and if so, how does the migration to it look like?
—
Reply to this email directly, view it on GitHub
<#2405 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACTMQBLJZKIQ67Q4I2L6W3DZN7CALAVCNFSM6AAAAAA4B3HQLWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMJTHE2TEOI>
.
You are receiving this because you commented.Message ID:
<AzureAD/microsoft-identity-web/repo-discussions/2405/comments/10139529@
github.com>
|
Beta Was this translation helpful? Give feedback.
-
A year has passed and there is no news. |
Beta Was this translation helpful? Give feedback.
-
My friends any news on that? |
Beta Was this translation helpful? Give feedback.
-
We are waiting :-) |
Beta Was this translation helpful? Give feedback.
-
We could potentially use passport-oauth2, correct? It would be more involved, but is there any reason this wouldn't be a valid solution? |
Beta Was this translation helpful? Give feedback.
-
@jennyf19 any update on this? |
Beta Was this translation helpful? Give feedback.
-
Has it been abandoned? We are experimenting with integrating MS AD into our NodeJS app, but it proves to be a struggle at every step |
Beta Was this translation helpful? Give feedback.
-
Seems to be abandoned and no news about the future.. |
Beta Was this translation helpful? Give feedback.
-
Hi everyone, Since the It provides secure access to Microsoft services and APIs using OAuth 2.0 and OpenID Connect standards, and it’s actively maintained by Microsoft. Implementation steps1. Set Up Your Azure AD Application
2. Install MSAL Node PackageInstall the MSAL Node package in your NodeJS project: npm install @azure/msal-node express-session 3. Set Up MSAL in Your NodeJS AppSample Code for NodeJS Authentication with MSALNot suitable for production usage, only for developement/experimentation purposes // server.js
const express = require('express');
const session = require('express-session');
const { ConfidentialClientApplication } = require('@azure/msal-node');
const app = express();
const PORT = process.env.PORT || 3000;
// MSAL configuration
const msalConfig = {
auth: {
clientId: process.env.OAUTH2_CLIENT_ID,
authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`, // Tenant ID or common for multi-tenant
clientSecret: process.env.OAUTH2_CLIENT_SECRET,
},
};
const msalClient = new ConfidentialClientApplication(msalConfig);
// Configure session middleware
app.use(
session({
secret: process.env.SESSION_SECRET_KEY || 'default_secret',
resave: false,
saveUninitialized: false,
cookie: { secure: false }, // Set to true if using HTTPS
})
);
// Login route - redirects to Azure AD for authentication
app.get('/login', (req, res) => {
const authCodeUrlParameters = {
scopes: ['user.read'],
redirectUri: 'http://localhost:3000/auth/redirect', // Adjust the redirect URI
};
// Redirect to Microsoft login page
msalClient.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
res.redirect(response);
}).catch((error) => {
console.error('Error generating auth code URL:', error);
res.status(500).send('Error during login');
});
});
// Callback route - handles Azure AD redirect with authorization code
app.get('/auth/redirect', (req, res) => {
const tokenRequest = {
code: req.query.code, // Authorization code from query params
scopes: ['user.read'],
redirectUri: 'http://localhost:3000/auth/redirect', // Must match exactly with Azure AD config
};
// Exchange authorization code for tokens
msalClient.acquireTokenByCode(tokenRequest).then((response) => {
req.session.user = {
username: response.account.username,
name: response.account.name,
idToken: response.idToken,
};
res.redirect('/profile');
}).catch((error) => {
console.error('Error acquiring token by code:', error);
res.status(500).send('Error during token acquisition');
});
});
// Protected route example
app.get('/profile', (req, res) => {
if (!req.session.user) {
return res.redirect('/login');
}
res.send(`Welcome, ${req.session.user.name}`);
});
// Logout route
app.get('/logout', (req, res) => {
req.session.destroy((err) => {
if (err) {
console.error('Error during logout:', err);
return res.status(500).send('Error during logout');
}
res.redirect('/');
});
});
app.listen(PORT, () => {
console.log(`Server is running on http://localhost:${PORT}`);
}); Explanation of Key Components
Advantages of Using MSAL
Final Steps
It worked for me ;) Hope this helps!!! |
Beta Was this translation helpful? Give feedback.
-
Dear community, I have found a "drop-in replacement" for the deprecated
This solution supports the Bearer token approach of Here is the code before the replacement: const { BearerStrategy } = require('passport-azure-ad');
const tenantId = process.env.AD_APPLICATION_TENANT_ID;
const clientId = process.env.AD_APPLICATION_CLIENT_ID;
const identityMetadata = `https://login.microsoftonline.com/${tenantId}/v2.0/.well-known/openid-configuration`;
const issuer = `https://login.microsoftonline.com/${tenantId}/v2.0`;
const options = {
identityMetadata: identityMetadata,
clientID: clientId,
validateIssuer: true,
issuer: issuer,
};
async function verifyCallBack(token, done) {
// do some stuff
return done(null, token, token);
}
const bearerStrategy = new BearerStrategy(options, verifyCallBack);
module.exports = {
bearerStrategy
}; And here is the new "drop-in replacement" code: const { Strategy, ExtractJwt } = require('passport-jwt');
const jwksRsa = require('jwks-rsa');
// The tenant ID is the Azure AD tenant ID. The client ID is the application ID of the app registration.
const tenantId = process.env.AD_APPLICATION_TENANT_ID;
const clientId = process.env.AD_APPLICATION_CLIENT_ID;
// This is the URL where the public keys for the tenant are stored.
const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`;
// This issuer and audience are used for API scope with MSAL
const issuer1 = `https://sts.windows.net/${tenantId}/`;
const audience1 = `api://${clientId}`;
// This issuer and audience are used if authentication is enabled on App Service with token cache.
const issuer2 = `https://login.microsoftonline.com/${tenantId}/v2.0`;
const audience2 = `${clientId}`;
// The options for the JWT strategy
const options = {
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
audience: [audience1, audience2],
issuer: [issuer1, issuer2],
algorithms: ['RS256'],
secretOrKeyProvider: jwksRsa.passportJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: jwksUri,
}),
};
// This function is called when the token is verified
async function verifyCallBack(token, done) {
// do something with the token
return done(null, token);
}
const bearerStrategy = new Strategy(options, verifyCallBack);
module.exports = { bearerStrategy }; This replacement should help anyone who still needs the Bearer token validation functionality after |
Beta Was this translation helpful? Give feedback.
-
Here's a way to do it in express without using passport (based on @DanielOverdevestPZH 's approach): import { expressjwt, Request as RequestJWT } from "express-jwt"
import type { Request } from "express"
import jwksRsa, { GetVerificationKey } from "jwks-rsa"
// needed for type inference
import "express-unless"
// eslint-disable-next-line @typescript-eslint/explicit-function-return-type
export function buildExpressMsalToken({
tenantId,
clientId
}: {
tenantId: string
clientId: string
}) {
// This is the URL where the public keys for the tenant are stored.
const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`
// This issuer and audience are used for API scope with MSAL
const issuer1 = `https://sts.windows.net/${tenantId}/`
const audience1 = `api://${clientId}`
// This issuer and audience are used if authentication is enabled on App Service with token cache.
const issuer2 = `https://login.microsoftonline.com/${tenantId}/v2.0`
const audience2 = `${clientId}`
return expressjwt({
secret: jwksRsa.expressJwtSecret({
jwksUri: jwksUri,
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5
}) as GetVerificationKey,
audience: [audience1, audience2],
issuer: [issuer1, issuer2],
algorithms: ["RS256"],
credentialsRequired: true
})
}
export type RequestWithMsalAuth = {
auth?: RequestJWT["auth"] & {
name?: string
unique_name?: string
upn?: string
oid?: string
scp?: string
roles?: string[]
}
} & Request use it as follows, for example: const app = express()
const port = 3000
const tenantId = process.env.TENANT_ID
if (!tenantId) {
throw new Error(
"TENANT_ID not defined."
)
}
const clientId = process.env.CLIENT_ID
if (!clientId) {
throw new Error(
"CLIENT_ID not defined."
)
}
app.use(buildExpressMsalToken({tenantId,clientId})
app.get(
"",
(req: RequestWithMsalAuth, res, next) => {
// do stuff in your controller, req.auth will be typed
}
)
app.listen(port, () => {
console.log(`Server running on port ${port}`)
}) |
Beta Was this translation helpful? Give feedback.
-
Node JS validation replacement for passport.js
Dear Node JS customers,
We understand that many of you have been frustrated by the lack of a replacement for this deprecated passport.js library. We want you to know that we hear your concerns and are actively working on a solution. In the meantime, we want to assure you that we haven't forgotten about you. Auth validation is very complicated and hard to get right. For this reason, we will leverage Microsoft.IdentityModel, which has a proven track record over many years, and is hitting impressive perf metrics with the latest improvements in IdentityModel 7x on .NET 8, making Ahead of Time (AOT) comparable with non-AOT, especially in terms of request per second, which is very promising for our goal of covering all services, regardless of language with Microsoft.IdentityModel.
We are experimenting with a simple wrapper over a shared library in Node JS that will allow you to continue using the Microsoft identity platforms. This wrapper is currently only available to internal Microsoft services, but we're working hard to make it available to all of our customers as soon as possible. Thank you for your patience and understanding as we work to improve our offerings. We'll keep you updated as we make progress on this front. Please provide us with your feedback/questions/concerns as we go through this process together.
Beta Was this translation helpful? Give feedback.
All reactions