1

I am trying to create an web-app with React in front-end and Node.js in back-end. I want my users authenticate to app with their Microsoft company accounts.

I trying to use this document from Microsoft but it make me confuse. as I understand here is the steps:

  1. user request to web-server to run the app
  2. browser download React SPA and using react-adal package, redirect user to Azure AD authentication URL which is https://login.microsoftonline.com
  3. after user successfully authenticate it send a token to client's browser
  4. I think next step is sending request to nodejs server with that token in header of request, is it correct?

Here is what I find in document:

The token is cached and the client attaches it to the request as the bearer token when making calls to its Web API back end, which is secured using the OWIN middleware.

but what is OWIN middleware and how can I use it in my nodejs app to make sure the token is valid and generated from Microsoft for that user?

Improve this question

2 Answers 2

Reset to default
3

Here is the link to get information about the api:

https://login.microsoftonline.com/common/.well-known/openid-configuration or https://login.windows.net/common/.well-known/openid-configuration

and based on link above, here is the link to public keys:

https://login.windows.net/common/discovery/keys

as you can see there are 3 public key there, and from header of the token you can find out which one is for your token.

now with jsonwebtoken package I can verify the token:

const options = { 
  algorithms: ['RS256'], 
  audience: [`${appId}`],
  issuer: ['https://sts.windows.net/{your tenant ID}/'],
  ignoreExpiration: false,
  ignoreNotBefore: false,
};
const jwt = require('jsonwebtoken');
try {
  const decoded = jwt.verify(token, publicKey, options);
  return decoded;
} catch (error) {
  console.log(error);
  return false;
}

more info about package: https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback

but it works when I add standard starting and ending characters:

const publicKey = `
-----BEGIN CERTIFICATE-----
${key}
-----END CERTIFICATE-----
`;

Here is a blog post that helps me to find the answer:

https://nicksnettravels.builttoroam.com/post/2017/01/24/Verifying-Azure-Active-Directory-JWT-Tokens.aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The token is nothing but a JSON Web Token (JWT), you can use any available libraries/code to do the signature validation and also issuer and audience checks in payload as part of your validation. See https://jwt.io/ for NodeJS libraries available. The public key to validate will be available through a URL when you register your application in Azure AD (as JWKS) something like https://login.windows.net/common/discovery/keys

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.