passport-azure-ad : frontend and backend with same token (what strategy, and how to ?)

Question

I'm trying to do a node.js Application with a frontend (http://localhost:8080) and a API backend (http://localhost:5000). I would like to be authenticate by Azure AD in both cases.

It is my first application like that, so I don't know exactly how to handle it.

What I would like to do is :

1. Login with Microsoft account on the frontend;
2. When the user is logged, when getting a route (i.e. http://localhost:8080/list), call the backend API (http://localhost:5000/api/list) to retrieve information 'list' and render it (depending on the user access rights).

I was thinking using 'passport-azure-ad' but I don't know what strategy to do ? OIDCStrategy or BearerStrategy ?

I'am able to easily doing the frontend login with OIDCStrategy, but I don't have a 'Bearer', so I don't understand how I can use the same "login" for calling the backend API ? And with BearerStrategy, I have tried to get a Bearer by getting 'https://login.microsoftonline.com/'+MyTenantId+'/oauth2/v2.0/authorize?response_type=code&client_id='+MyClientId+'&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&scope=openid' but every time when I test it on jwt.io it return as an invalid bearer ( 'Invalid Signature') and I cannot use that bearer in my backend server.

I'm a bit confused how to do ? And I need help.

Thanks

Answer 1

As this document shows, you could make HTTP calls to get the access token. And you could try it with Postman.

Using on-behalf-of flow in node.js:

var qs = require("querystring");

var http = require("https");

var options = { "method": "POST", "hostname": [ "login", "microsoftonline", "com" ], "path": [ "b2bc09c8-9386-47xxxxxxxx", "oauth2", "token" ], "headers": { "Content-Type": "application/x-www-form-urlencoded", "cache-control": "no-cache", "Postman-Token": "739540c9-1e3d-4d74-bxxxxxxx" } };

var req = http.request(options, function (res) { var chunks = [];

res.on("data", function (chunk) {
    chunks.push(chunk);
});

res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
});
});

req.write(qs.stringify({ grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', client_id: '<your-application-id>', resource: 'https://graph.microsoft.com/', client_secret: '<your-client-secret>', scope: 'openid', assertion: 'xxxxx', requested_token_use: 'on_behalf_of', undefined: undefined })); 
req.end();

You could extract the access token and use it against a resource in a bearer request.