├── .github
├── CODE_OF_CONDUCT.md
├── ISSUE_TEMPLATE.md
├── ISSUE_TEMPLATE
│ ├── bug_report.md
│ └── feature_request.md
├── PULL_REQUEST_TEMPLATE.md
└── workflows
│ ├── build.yml
│ ├── codeql.yml
│ ├── docs.yml
│ └── issues.yml
├── .gitignore
├── 1-Authentication
├── 1-sign-in
│ ├── App
│ │ ├── app.js
│ │ ├── authConfig.js
│ │ ├── controllers
│ │ │ └── mainController.js
│ │ ├── package-lock.json
│ │ ├── package.json
│ │ ├── public
│ │ │ └── style.css
│ │ ├── sample.test.js
│ │ ├── server.js
│ │ └── views
│ │ │ ├── home.ejs
│ │ │ ├── id.ejs
│ │ │ └── includes
│ │ │ ├── footer.ejs
│ │ │ └── navbar.ejs
│ ├── AppCreationScripts
│ │ ├── AppCreationScripts.md
│ │ ├── Cleanup-WithCertificates.ps1
│ │ ├── Cleanup.ps1
│ │ ├── Configure-WithCertificates.ps1
│ │ ├── Configure.ps1
│ │ └── sample.json
│ ├── README-use-certificate.md
│ ├── README.md
│ └── ReadmeFiles
│ │ ├── screenshot.png
│ │ └── topology.png
└── 2-sign-in-b2c
│ ├── App
│ ├── app.js
│ ├── authConfig.js
│ ├── controllers
│ │ └── mainController.js
│ ├── package-lock.json
│ ├── package.json
│ ├── public
│ │ └── style.css
│ ├── sample.test.js
│ ├── server.js
│ └── views
│ │ ├── home.ejs
│ │ ├── id.ejs
│ │ └── includes
│ │ ├── footer.ejs
│ │ └── navbar.ejs
│ ├── AppCreationScripts
│ ├── AppCreationScripts.md
│ ├── Cleanup-WithCertificates.ps1
│ ├── Cleanup.ps1
│ ├── Configure-WithCertificates.ps1
│ ├── Configure.ps1
│ └── sample.json
│ ├── README-use-certificate.md
│ ├── README.md
│ └── ReadmeFiles
│ ├── screenshot.png
│ └── topology.png
├── 2-Authorization
└── 1-call-graph
│ ├── App
│ ├── app.js
│ ├── authConfig.js
│ ├── controllers
│ │ └── mainController.js
│ ├── package-lock.json
│ ├── package.json
│ ├── public
│ │ └── style.css
│ ├── routes
│ │ └── mainRoutes.js
│ ├── sample.test.js
│ ├── server.js
│ ├── utils
│ │ ├── fetchManager.js
│ │ └── graphManager.js
│ └── views
│ │ ├── home.ejs
│ │ ├── id.ejs
│ │ ├── includes
│ │ ├── footer.ejs
│ │ └── navbar.ejs
│ │ ├── profile.ejs
│ │ └── tenant.ejs
│ ├── AppCreationScripts
│ ├── AppCreationScripts.md
│ ├── Cleanup-WithCertificates.ps1
│ ├── Cleanup.ps1
│ ├── Configure-WithCertificates.ps1
│ ├── Configure.ps1
│ └── sample.json
│ ├── README-use-certificate.md
│ ├── README.md
│ └── ReadmeFiles
│ ├── screenshot.png
│ └── topology.png
├── 3-Deployment
├── App
│ ├── .env.example
│ ├── app.js
│ ├── authConfig.js
│ ├── controllers
│ │ └── mainController.js
│ ├── msal-node-wrapper-1.0.0-beta.tgz
│ ├── package-lock.json
│ ├── package.json
│ ├── public
│ │ └── style.css
│ ├── routes
│ │ └── mainRoutes.js
│ ├── sample.test.js
│ ├── server.js
│ ├── utils
│ │ ├── fetchManager.js
│ │ ├── graphManager.js
│ │ └── keyVaultManager.js
│ └── views
│ │ ├── home.ejs
│ │ ├── id.ejs
│ │ ├── includes
│ │ ├── footer.ejs
│ │ └── navbar.ejs
│ │ ├── profile.ejs
│ │ └── tenant.ejs
├── README.md
└── ReadmeFiles
│ ├── disable_easy_auth.png
│ ├── screenshot.png
│ ├── step1.png
│ ├── step2.png
│ ├── step3.png
│ └── topology.png
├── 4-AccessControl
├── 1-app-roles
│ ├── App
│ │ ├── app.js
│ │ ├── authConfig.js
│ │ ├── controllers
│ │ │ ├── dashboardController.js
│ │ │ ├── mainController.js
│ │ │ └── todolistController.js
│ │ ├── data
│ │ │ └── db.json
│ │ ├── model
│ │ │ └── todo.js
│ │ ├── package-lock.json
│ │ ├── package.json
│ │ ├── public
│ │ │ └── style.css
│ │ ├── routes
│ │ │ ├── dashboardRoutes.js
│ │ │ ├── mainRoutes.js
│ │ │ └── todolistRoutes.js
│ │ ├── sample.test.js
│ │ ├── server.js
│ │ └── views
│ │ │ ├── dashboard.ejs
│ │ │ ├── home.ejs
│ │ │ ├── id.ejs
│ │ │ ├── includes
│ │ │ ├── footer.ejs
│ │ │ └── navbar.ejs
│ │ │ └── todolist.ejs
│ ├── AppCreationScripts
│ │ ├── AppCreationScripts.md
│ │ ├── Cleanup-WithCertificates.ps1
│ │ ├── Cleanup.ps1
│ │ ├── CleanupUsersAndAssignRoles.ps1
│ │ ├── Configure-WithCertificates.ps1
│ │ ├── Configure.ps1
│ │ ├── CreateUsersAndAssignRoles.ps1
│ │ └── sample.json
│ ├── README-use-certificate.md
│ ├── README.md
│ └── ReadmeFiles
│ │ ├── screenshot.png
│ │ └── topology.png
└── 2-security-groups
│ ├── App
│ ├── app.js
│ ├── authConfig.js
│ ├── controllers
│ │ ├── dashboardController.js
│ │ ├── mainController.js
│ │ └── todolistController.js
│ ├── data
│ │ └── db.json
│ ├── model
│ │ └── todo.js
│ ├── package-lock.json
│ ├── package.json
│ ├── public
│ │ └── style.css
│ ├── routes
│ │ ├── dashboardRoutes.js
│ │ ├── mainRoutes.js
│ │ └── todolistRoutes.js
│ ├── sample.test.js
│ ├── server.js
│ └── views
│ │ ├── dashboard.ejs
│ │ ├── home.ejs
│ │ ├── id.ejs
│ │ ├── includes
│ │ ├── footer.ejs
│ │ └── navbar.ejs
│ │ └── todolist.ejs
│ ├── AppCreationScripts
│ ├── AppCreationScripts.md
│ ├── BulkCreateGroups.ps1
│ ├── BulkRemoveGroups.ps1
│ ├── Cleanup-WithCertificates.ps1
│ ├── Cleanup.ps1
│ ├── Configure-WithCertificates.ps1
│ ├── Configure.ps1
│ └── sample.json
│ ├── README-use-certificate.md
│ ├── README.md
│ └── ReadmeFiles
│ ├── screenshot.png
│ └── topology.png
├── 5-AdvancedScenarios
└── 1-call-graph-bff
│ ├── App
│ ├── app.js
│ ├── auth
│ │ └── AuthProvider.js
│ ├── authConfig.js
│ ├── client
│ │ ├── .gitignore
│ │ ├── package-lock.json
│ │ ├── package.json
│ │ ├── public
│ │ │ ├── favicon.svg
│ │ │ ├── index.html
│ │ │ ├── manifest.json
│ │ │ └── robots.txt
│ │ └── src
│ │ │ ├── App.jsx
│ │ │ ├── components
│ │ │ ├── DataDisplay.jsx
│ │ │ ├── NavigationBar.jsx
│ │ │ └── PageLayout.jsx
│ │ │ ├── context
│ │ │ └── AuthContext.js
│ │ │ ├── index.js
│ │ │ ├── pages
│ │ │ ├── Home.jsx
│ │ │ └── Profile.jsx
│ │ │ ├── styles
│ │ │ ├── App.css
│ │ │ └── index.css
│ │ │ └── utils
│ │ │ └── claimUtils.js
│ ├── controllers
│ │ └── authController.js
│ ├── package-lock.json
│ ├── package.json
│ ├── routes
│ │ └── mainRoutes.js
│ └── utils
│ │ ├── claimUtils.js
│ │ └── graphClient.js
│ ├── AppCreationScripts
│ ├── AppCreationScripts.md
│ ├── Cleanup-WithCertificates.ps1
│ ├── Cleanup.ps1
│ ├── Configure-WithCertificates.ps1
│ ├── Configure.ps1
│ └── sample.json
│ ├── README-use-certificate.md
│ ├── README.md
│ └── ReadmeFiles
│ ├── screenshot.png
│ └── sequence.png
├── CHANGELOG.md
├── CONTRIBUTING.md
├── Common
└── msal-node-wrapper
│ ├── .eslintignore
│ ├── .eslintrc.json
│ ├── .gitignore
│ ├── README.md
│ ├── jest.config.js
│ ├── package-lock.json
│ ├── package.json
│ ├── rollup.config.js
│ ├── src
│ ├── config
│ │ ├── ConfigurationHelper.ts
│ │ └── ConfigurationTypes.ts
│ ├── error
│ │ ├── AccessDeniedError.ts
│ │ └── InteractionRequiredError.ts
│ ├── index.ts
│ ├── middleware
│ │ ├── MiddlewareOptions.ts
│ │ ├── authenticateMiddleware.ts
│ │ ├── context
│ │ │ └── AuthContext.ts
│ │ ├── errorMiddleware.ts
│ │ ├── guardMiddleware.ts
│ │ └── handlers
│ │ │ ├── acquireTokenHandler.ts
│ │ │ ├── loginHandler.ts
│ │ │ ├── logoutHandler.ts
│ │ │ └── redirectHandler.ts
│ ├── network
│ │ └── FetchManager.ts
│ ├── packageMetadata.ts
│ ├── provider
│ │ ├── BaseAuthProvider.ts
│ │ └── WebAppAuthProvider.ts
│ └── utils
│ │ ├── Constants.ts
│ │ └── UrlUtils.ts
│ ├── test
│ ├── TestConstants.ts
│ ├── config
│ │ └── ConfigurationHelper.spec.ts
│ └── utils
│ │ └── UrlUtils.spec.ts
│ ├── tsconfig.build.json
│ ├── tsconfig.json
│ └── typedoc.json
├── LICENSE.md
└── README.md
/.github/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Microsoft Open Source Code of Conduct
2 |
3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
4 |
5 | Resources:
6 |
7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
10 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Issue
4 |
5 | > Please provide us with the following information:
6 |
7 | ## This issue is for the sample
8 |
9 |
10 |
11 | ```console
12 | - [ ] 1-1) Sign-in with Microsoft Entra ID
13 | - [ ] 1-2) Sign-in with Azure Active Directory B2C
14 | - [ ] 2-1) Acquire a Token and call Microsoft Graph
15 | - [ ] 3) Deploy to Azure Storage and App Service
16 | - [ ] 4-1) Use App Roles for Role-based Access Control
17 | - [ ] 4-2) Use Security Groups for Role-based Access Control
18 | ```
19 |
20 | ## This issue is for a
21 |
22 |
23 |
24 | ```console
25 | - [ ] bug report -> please search issues before submitting
26 | - [ ] question
27 | - [ ] feature request
28 | - [ ] documentation issue or request
29 | ```
30 |
31 | ### Minimal steps to reproduce
32 |
33 | >
34 |
35 | ### Any log messages given by the failure
36 |
37 | >
38 |
39 | ### Expected/desired behavior
40 |
41 | >
42 |
43 | ### Library version
44 |
45 | >
46 |
47 | ### Browser and version
48 |
49 | > Chrome, Edge, Firefox, Safari?
50 |
51 | ### Mention any other details that might be useful
52 |
53 | >
54 |
55 | Thanks! We'll be in touch soon.
56 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: untriaged
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Which version of Microsoft.Identity.Client are you using?**
11 |
12 | Note that to get help, you need to run the latest version.
13 |
14 | **Repro**
15 |
16 | ```js
17 | // code
18 | ```
19 |
20 | **Expected behavior**
21 | A clear and concise description of what you expected to happen (or code).
22 |
23 | **Actual behavior**
24 | A clear and concise description of what happens, e.g. an exception is thrown, UI freezes.
25 |
26 | **Possible solution**
27 |
28 |
29 | **Additional context / logs / screenshots / links to code**
30 |
31 | Add any other context about the problem here, such as logs and screenshots or links to code.
32 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: enhancement
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | # Pull Request
2 |
3 | ## Purpose
4 |
5 |
6 |
7 | * ...
8 |
9 | ## Does this introduce a breaking change
10 |
11 |
12 |
13 | ```console
14 | [ ] Yes
15 | [ ] No
16 | ```
17 |
18 | ## Pull request type
19 |
20 | What kind of change does this Pull Request introduce?
21 |
22 |
23 |
24 | ```console
25 | [ ] Bugfix
26 | [ ] Feature
27 | [ ] Code style update (formatting, local variables)
28 | [ ] Documentation content changes
29 | [ ] Other... Please describe:
30 | ```
31 |
32 | ## How to test
33 |
34 | * Get the code
35 |
36 | ```console
37 | git clone [repo-address]
38 | cd [repo-name]
39 | git checkout [branch-name]
40 | npm install
41 | ```
42 |
43 | ## What to check
44 |
45 | ex: verify that the following are valid:
46 |
47 | * ...
48 |
49 | ## Other Information
50 |
51 |
--------------------------------------------------------------------------------
/.github/workflows/build.yml:
--------------------------------------------------------------------------------
1 | # This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
3 |
4 | name: Build & Test
5 |
6 | on:
7 | push:
8 | branches:
9 | - main
10 | pull_request:
11 | branches:
12 | - main
13 |
14 | jobs:
15 | build:
16 |
17 | runs-on: ubuntu-latest
18 |
19 | strategy:
20 | matrix:
21 | node-version: [16.x, 18.x]
22 | # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
23 |
24 | steps:
25 | - uses: actions/checkout@v2
26 | - name: Use Node.js ${{ matrix.node-version }}
27 | uses: actions/setup-node@v2
28 | with:
29 | node-version: ${{ matrix.node-version }}
30 |
31 | - run: |
32 | cd Common/msal-node-wrapper
33 | npm ci
34 | npm audit --production
35 | npm run build --if-present
36 | npm run test
37 |
38 | - run: |
39 | cd 1-Authentication/1-sign-in/App
40 | npm install
41 | npm audit --production
42 | npm run test
43 |
44 | - run: |
45 | cd 1-Authentication/2-sign-in-b2c/App
46 | npm install
47 | npm audit --production
48 | npm run test
49 |
50 | - run: |
51 | cd 2-Authorization/1-call-graph/App
52 | npm install
53 | npm audit --production
54 | npm run test
55 |
56 | - run: |
57 | cd 4-AccessControl/1-app-roles/App
58 | npm install
59 | npm audit --production
60 | npm run test
61 |
62 | - run: |
63 | cd 4-AccessControl/2-security-groups/App
64 | npm install
65 | npm audit --production
66 | npm run test
--------------------------------------------------------------------------------
/.github/workflows/docs.yml:
--------------------------------------------------------------------------------
1 | name: Generate docs
2 |
3 | on:
4 | push:
5 | branches:
6 | - main
7 | paths:
8 | - Common/msal-node-wrapper/**
9 | pull_request:
10 | branches:
11 | - main
12 | paths:
13 | - Common/msal-node-wrapper/**
14 |
15 | jobs:
16 | deploy:
17 | runs-on: ubuntu-latest
18 | steps:
19 | - uses: actions/checkout@v2
20 | with:
21 | submodules: true # Fetch Hugo themes (true OR recursive)
22 | fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod
23 |
24 | - name: Use Node.js
25 | uses: actions/setup-node@v2
26 | env:
27 | RUNNING_NODE_CI: 1
28 | - run: |
29 | cd Common/msal-node-wrapper
30 | npm ci
31 | npm run build
32 | npm run docs
33 |
34 | - name: Deploy
35 | uses: peaceiris/actions-gh-pages@v3
36 | with:
37 | github_token: ${{ secrets.GITHUB_TOKEN }}
38 | publish_dir: ./docs
39 | destination_dir: ./docs
40 | keep_files: true
--------------------------------------------------------------------------------
/.github/workflows/issues.yml:
--------------------------------------------------------------------------------
1 | # https://github.com/actions/stale
2 | name: Mark stale issues and pull requests
3 |
4 | on:
5 | schedule:
6 | - cron: "0 0 * * *"
7 |
8 | jobs:
9 | stale:
10 |
11 | runs-on: ubuntu-latest
12 |
13 | steps:
14 | - uses: actions/stale@v3
15 | with:
16 | repo-token: ${{ secrets.GITHUB_TOKEN }}
17 | operations-per-run: 60
18 | stale-issue-message: 'This issue has not seen activity in 14 days. If your issue has not been resolved please leave a comment to keep this open. It will be closed in 7 days if it remains stale.'
19 | close-issue-message: 'This issue has been closed due to inactivity. If this has not been resolved please open a new issue. Thanks!'
20 | stale-pr-message: 'This PR has not seen activity in 30 days. It may be closed if it remains stale.'
21 | stale-issue-label: 'no-issue-activity'
22 | stale-pr-label: 'no-pr-activity'
23 | days-before-issue-stale: 14
24 | days-before-pr-stale: 30
25 | days-before-close: 7
26 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Logs
2 | logs
3 | *.log
4 | npm-debug.log*
5 | yarn-debug.log*
6 | yarn-error.log*
7 | lerna-debug.log*
8 |
9 | # Diagnostic reports (https://nodejs.org/api/report.html)
10 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
11 |
12 | # Runtime data
13 | pids
14 | *.pid
15 | *.seed
16 | *.pid.lock
17 |
18 | # Directory for instrumented libs generated by jscoverage/JSCover
19 | lib-cov
20 |
21 | # Coverage directory used by tools like istanbul
22 | coverage
23 | *.lcov
24 |
25 | # nyc test coverage
26 | .nyc_output
27 |
28 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
29 | .grunt
30 |
31 | # Bower dependency directory (https://bower.io/)
32 | bower_components
33 |
34 | # node-waf configuration
35 | .lock-wscript
36 |
37 | # Compiled binary addons (https://nodejs.org/api/addons.html)
38 | build/Release
39 |
40 | # Dependency directories
41 | node_modules/
42 | jspm_packages/
43 |
44 | # TypeScript v1 declaration files
45 | typings/
46 |
47 | # TypeScript cache
48 | *.tsbuildinfo
49 |
50 | # Optional npm cache directory
51 | .npm
52 |
53 | # Optional eslint cache
54 | .eslintcache
55 |
56 | # Microbundle cache
57 | .rpt2_cache/
58 | .rts2_cache_cjs/
59 | .rts2_cache_es/
60 | .rts2_cache_umd/
61 |
62 | # Optional REPL history
63 | .node_repl_history
64 |
65 | # Output of 'npm pack'
66 | *.tgz
67 | !msal-node-wrapper-1.0.0-beta.tgz
68 |
69 | # Yarn Integrity file
70 | .yarn-integrity
71 |
72 | # dotenv environment variables file
73 | .env
74 |
75 | # parcel-bundler cache (https://parceljs.org/)
76 | .cache
77 |
78 | # Next.js build output
79 | .next
80 |
81 | # Nuxt.js build / generate output
82 | .nuxt
83 |
84 | # Gatsby files
85 | .cache/
86 | # Comment in the public line in if your project uses Gatsby and *not* Next.js
87 | # https://nextjs.org/blog/next-9-1#public-directory-support
88 | # public
89 |
90 | # vuepress build output
91 | .vuepress/dist
92 |
93 | # Serverless directories
94 | .serverless/
95 |
96 | # FuseBox cache
97 | .fusebox/
98 |
99 | # DynamoDB Local files
100 | .dynamodb/
101 |
102 | # TernJS port file
103 | .tern-port
104 |
105 | # VS Code cache
106 | .vscode/
107 |
108 | /.vs
109 |
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/App/authConfig.js:
--------------------------------------------------------------------------------
1 | /**
2 | * For enhanced security, consider using client certificates instead of secrets.
3 | * See README-use-certificate.md for more.
4 | */
5 | const authConfig = {
6 | auth: {
7 | authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here",
8 | clientId: "Enter_the_Application_Id_Here",
9 | clientSecret: "Enter_the_Client_Secret_Here",
10 | // clientCertificate: {
11 | // thumbprint: "YOUR_CERT_THUMBPRINT",
12 | // privateKey: fs.readFileSync('PATH_TO_YOUR_PRIVATE_KEY_FILE'),
13 | // }
14 | redirectUri: "/redirect",
15 | },
16 | system: {
17 | loggerOptions: {
18 | loggerCallback: (logLevel, message, containsPii) => {
19 | if (containsPii) {
20 | return;
21 | }
22 | console.log(message);
23 | },
24 | piiLoggingEnabled: false,
25 | logLevel: 3,
26 | },
27 | }
28 | };
29 |
30 | module.exports = authConfig;
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/App/controllers/mainController.js:
--------------------------------------------------------------------------------
1 | exports.getHomePage = (req, res, next) => {
2 | const username = req.authContext.getAccount() ? req.authContext.getAccount().username : '';
3 | res.render('home', { isAuthenticated: req.authContext.isAuthenticated(), username: username });
4 | }
5 |
6 | exports.getIdPage = (req, res, next) => {
7 | const account = req.authContext.getAccount();
8 |
9 | const claims = {
10 | name: account.idTokenClaims.name,
11 | preferred_username: account.idTokenClaims.preferred_username,
12 | oid: account.idTokenClaims.oid,
13 | sub: account.idTokenClaims.sub
14 | };
15 |
16 | res.render('id', {isAuthenticated: req.authContext.isAuthenticated(), claims: claims});
17 | }
18 |
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/App/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "msal-node-tutorial-signin",
3 | "version": "1.0.0",
4 | "description": "A Node.js & Express web app authenticating users against Azure AD with MSAL Node",
5 | "main": "server.js",
6 | "scripts": {
7 | "start": "node server.js",
8 | "dev": "nodemon server.js",
9 | "test": "jest --forceExit",
10 | "postinstall": "cd ../../../Common/msal-node-wrapper && npm install"
11 | },
12 | "author": "derisen",
13 | "license": "MIT",
14 | "dependencies": {
15 | "bootstrap": "^5.3.3",
16 | "ejs": "^3.1.10",
17 | "express": "^4.19.2",
18 | "express-session": "^1.18.0",
19 | "msal-node-wrapper": "file:../../../Common/msal-node-wrapper"
20 | },
21 | "devDependencies": {
22 | "jest": "^29.7.0",
23 | "nodemon": "^3.1.0",
24 | "supertest": "^7.0.0"
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/App/public/style.css:
--------------------------------------------------------------------------------
1 | h1 {
2 | color: red;
3 | }
4 |
5 | #card-div {
6 | min-width: 40%;
7 | margin: 5% auto 5% auto;
8 | }
9 |
10 | #form-area-div {
11 | width: 55%;
12 | margin: 5% auto 5% auto;
13 | }
14 |
15 | .table-area-div {
16 | width: 70%;
17 | margin: 5% auto 5% auto;
18 | }
19 |
20 | .footer {
21 | position: fixed;
22 | left: 0;
23 | bottom: 0;
24 | width: 100%;
25 | text-align: center;
26 | }
27 |
28 |
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/App/sample.test.js:
--------------------------------------------------------------------------------
1 | const request = require('supertest');
2 |
3 | describe('Sanitize configuration object', () => {
4 | let authConfig;
5 |
6 | beforeAll(() => {
7 | authConfig = require('./authConfig.js');
8 | });
9 |
10 | it('should define the config object', () => {
11 | expect(authConfig).toBeDefined();
12 | });
13 |
14 | it('should not contain client Id', () => {
15 | const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
16 | expect(regexGuid.test(authConfig.auth.clientId)).toBe(false);
17 | });
18 |
19 | it('should not contain tenant Id', () => {
20 | const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
21 | expect(regexGuid.test(authConfig.auth.tenantId)).toBe(false);
22 | });
23 |
24 | it('should not contain client secret', () => {
25 | const regexSecret = /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{34,}$/;
26 | expect(regexSecret.test(authConfig.auth.clientSecret)).toBe(false);
27 | });
28 | });
29 |
30 | describe('Ensure pages served', () => {
31 | let app;
32 |
33 | beforeAll(async () => {
34 | process.env.NODE_ENV = 'test';
35 |
36 | const authConfig = require('./authConfig.js');
37 | const main = require('./app.js');
38 |
39 | authConfig.auth.authority = `https://login.microsoftonline.com/common`;
40 | authConfig.auth.clientId = "11111111-2222-3333-4444-111111111111";
41 | authConfig.auth.clientSecret = "11111111222233334444111111111111";
42 |
43 | app = await main();
44 | const SERVER_PORT = process.env.PORT || 4000;
45 | app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`));
46 | })
47 |
48 | it('should serve home page', async () => {
49 | const res = await request(app)
50 | .get('/');
51 |
52 | expect(res.statusCode).toEqual(200);
53 | });
54 |
55 | it('should protect id page', async () => {
56 | const res = await request(app)
57 | .get('/id');
58 |
59 | expect(res.statusCode).not.toEqual(200);
60 | });
61 | });
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/App/server.js:
--------------------------------------------------------------------------------
1 |
2 |
3 | const main = require("./app");
4 |
5 | (async () => {
6 | const app = await main();
7 | const SERVER_PORT = process.env.PORT || 4000;
8 |
9 | app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`));
10 | })();
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/App/views/home.ejs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Home
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
17 |
18 |
19 | <% if (isAuthenticated) { %>
20 |
Welcome <%= username %>
21 | <% } else { %>
22 | Sign-in to get an ID Token
23 | <% } %>
24 |
25 |
26 |
27 |
ID
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Some of the important claims in your ID token are shown below:
17 |
20 |
21 |
22 |
23 | Claim
24 | Value
25 |
26 |
27 |
28 | <% for (const [key, value] of Object.entries(claims)) { %>
29 |
30 | <%= key %>
31 | <%= value %>
32 |
33 | <% } %>
34 |
35 |
36 |
2 | Microsoft identity platform
3 |
4 | <% if (isAuthenticated) { %>
5 |
ID
6 |
Sign-out
7 | <% } else { %>
8 |
Sign-in
9 | <% } %>
10 |
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/AppCreationScripts/sample.json:
--------------------------------------------------------------------------------
1 | {
2 | "Sample": {
3 | "Title": "A Node.js & Express web app authenticating users against Azure AD with MSAL Node",
4 | "Level": 100,
5 | "Client": "Node.js & Express web app",
6 | "RepositoryUrl": "ms-identity-javascript-nodejs-tutorial",
7 | "Endpoint": "AAD v2.0"
8 | },
9 | "AADApps": [
10 | {
11 | "Id": "client",
12 | "Name": "msal-node-webapp",
13 | "Kind": "WebApp",
14 | "Audience": "AzureADMyOrg",
15 | "HomePage": "http://localhost:4000",
16 | "ReplyUrls": "http://localhost:4000/redirect",
17 | "Certificate": "Auto",
18 | "PasswordCredentials": "Auto",
19 | "Sdk": "MsalNode",
20 | "SampleSubPath": "1-Authentication\\1-sign-in\\App",
21 | "OptionalClaims": {
22 | "AccessTokenClaims": ["acct"]
23 | }
24 | }
25 | ],
26 | "CodeConfiguration": [
27 | {
28 | "App": "client",
29 | "SettingKind": "Replace",
30 | "SettingFile": "\\..\\App\\authConfig.js",
31 | "Mappings": [
32 | {
33 | "key": "Enter_the_Application_Id_Here",
34 | "value": ".AppId"
35 | },
36 | {
37 | "key": "Enter_the_Tenant_Info_Here",
38 | "value": "$tenantId"
39 | },
40 | {
41 | "key": "Enter_the_Client_Secret_Here",
42 | "value": ".AppKey"
43 | }
44 | ]
45 | }
46 | ]
47 | }
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/ReadmeFiles/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/73e71223bd33720975bbed2b6518d4d8e2730913/1-Authentication/1-sign-in/ReadmeFiles/screenshot.png
--------------------------------------------------------------------------------
/1-Authentication/1-sign-in/ReadmeFiles/topology.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/73e71223bd33720975bbed2b6518d4d8e2730913/1-Authentication/1-sign-in/ReadmeFiles/topology.png
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/App/authConfig.js:
--------------------------------------------------------------------------------
1 | /**
2 | * For enhanced security, consider using client certificates instead of secrets.
3 | * See README-use-certificate.md for more.
4 | */
5 | const authConfig = {
6 | auth: {
7 | authority: 'https://Enter_the_B2C_Tenant_Subdomain_Here.b2clogin.com/Enter_the_B2C_Tenant_Subdomain_Here.onmicrosoft.com/Enter_the_Policy_Name_Here',
8 | clientId: "Enter_the_Application_Id_Here",
9 | clientSecret: "Enter_the_Client_Secret_Here",
10 | // clientCertificate: {
11 | // thumbprint: "YOUR_CERT_THUMBPRINT",
12 | // privateKey: fs.readFileSync('PATH_TO_YOUR_PRIVATE_KEY_FILE'),
13 | // }
14 | redirectUri: "/redirect",
15 | knownAuthorities: ["Enter_the_B2C_Tenant_Subdomain_Here.b2clogin.com"],
16 | },
17 | system: {
18 | loggerOptions: {
19 | loggerCallback: (logLevel, message, containsPii) => {
20 | if (containsPii) {
21 | return;
22 | }
23 | console.log(message);
24 | },
25 | piiLoggingEnabled: false,
26 | logLevel: 3,
27 | },
28 | }
29 | };
30 |
31 | module.exports = authConfig;
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/App/controllers/mainController.js:
--------------------------------------------------------------------------------
1 | exports.getHomePage = (req, res, next) => {
2 | const username = req.authContext.getAccount() ? req.authContext.getAccount().username : '';
3 | res.render('home', { isAuthenticated: req.authContext.isAuthenticated(), username: username });
4 | }
5 |
6 | exports.getIdPage = (req, res, next) => {
7 | const account = req.authContext.getAccount();
8 |
9 | const claims = {
10 | name: account.idTokenClaims.name,
11 | sub: account.idTokenClaims.sub
12 | };
13 |
14 | res.render('id', {isAuthenticated: req.authContext.isAuthenticated(), claims: claims});
15 | }
16 |
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/App/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "msal-node-tutorial-signin-b2c",
3 | "version": "1.0.0",
4 | "description": "A Node.js & Express web app authenticating users against Azure AD B2C using MSAL Node",
5 | "main": "server.js",
6 | "scripts": {
7 | "start": "node server.js",
8 | "dev": "nodemon server.js",
9 | "test": "jest --forceExit",
10 | "postinstall": "cd ../../../Common/msal-node-wrapper && npm install"
11 | },
12 | "author": "derisen",
13 | "license": "MIT",
14 | "dependencies": {
15 | "bootstrap": "^5.3.3",
16 | "ejs": "^3.1.10",
17 | "express": "^4.19.2",
18 | "express-session": "^1.18.0",
19 | "msal-node-wrapper": "file:../../../Common/msal-node-wrapper"
20 | },
21 | "devDependencies": {
22 | "jest": "^29.7.0",
23 | "nodemon": "^3.1.0",
24 | "supertest": "^7.0.0"
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/App/public/style.css:
--------------------------------------------------------------------------------
1 | h1 {
2 | color: red;
3 | }
4 |
5 | #card-div {
6 | min-width: 40%;
7 | margin: 5% auto 5% auto;
8 | }
9 |
10 | #form-area-div {
11 | width: 55%;
12 | margin: 5% auto 5% auto;
13 | }
14 |
15 | .table-area-div {
16 | width: 70%;
17 | margin: 5% auto 5% auto;
18 | }
19 |
20 | #editButton {
21 | margin-top: 20px;
22 | margin-bottom: -25px;
23 | }
24 |
25 | .footer {
26 | position: fixed;
27 | left: 0;
28 | bottom: 0;
29 | width: 100%;
30 | text-align: center;
31 | }
32 |
33 |
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/App/sample.test.js:
--------------------------------------------------------------------------------
1 | const request = require('supertest');
2 |
3 | describe('Sanitize configuration object', () => {
4 | let authConfig;
5 |
6 | beforeAll(() => {
7 | authConfig = require('./authConfig.js');
8 | });
9 |
10 | it('should define the config object', () => {
11 | expect(authConfig).toBeDefined();
12 | });
13 |
14 | it('should not contain client Id', () => {
15 | const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
16 | expect(regexGuid.test(authConfig.auth.clientId)).toBe(false);
17 | });
18 |
19 | it('should not contain tenant Id', () => {
20 | const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
21 | expect(regexGuid.test(authConfig.auth.tenantId)).toBe(false);
22 | });
23 |
24 | it('should not contain client secret', () => {
25 | const regexSecret = /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{34,}$/;
26 | expect(regexSecret.test(authConfig.auth.clientSecret)).toBe(false);
27 | });
28 | });
29 |
30 | describe('Ensure pages served', () => {
31 | let app;
32 |
33 | beforeAll(async () => {
34 | process.env.NODE_ENV = 'test';
35 |
36 | const authConfig = require('./authConfig.js');
37 | const main = require('./app.js');
38 |
39 | authConfig.auth.authority = `https://login.microsoftonline.com/common`;
40 | authConfig.auth.clientId = "11111111-2222-3333-4444-111111111111";
41 | authConfig.auth.clientSecret = "11111111222233334444111111111111";
42 |
43 | app = await main();
44 | const SERVER_PORT = process.env.PORT || 4000;
45 | app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`));
46 | })
47 |
48 | it('should serve home page', async () => {
49 | const res = await request(app)
50 | .get('/');
51 |
52 | expect(res.statusCode).toEqual(200);
53 | });
54 |
55 | it('should protect id page', async () => {
56 | const res = await request(app)
57 | .get('/id');
58 |
59 | expect(res.statusCode).not.toEqual(200);
60 | });
61 | });
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/App/server.js:
--------------------------------------------------------------------------------
1 |
2 |
3 | const main = require("./app");
4 |
5 | (async () => {
6 | const app = await main();
7 | const SERVER_PORT = process.env.PORT || 4000;
8 |
9 | app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`));
10 | })();
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/App/views/home.ejs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Home
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
17 |
18 |
19 | <% if (isAuthenticated) { %>
20 |
Welcome <%= username %>
21 | <% } else { %>
22 | Sign-in to get an ID Token
23 | <% } %>
24 |
25 |
26 |
27 |
ID
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Some of the important claims in your ID token are shown below:
17 |
20 |
21 |
22 |
23 | Claim
24 | Value
25 |
26 |
27 |
28 | <% for (const [key, value] of Object.entries(claims)) { %>
29 |
30 | <%= key %>
31 | <%= value %>
32 |
33 | <% } %>
34 |
35 |
36 |
2 | Microsoft identity platform
3 |
4 | <% if (isAuthenticated) { %>
5 |
ID
6 |
Sign-out
7 | <% } else { %>
8 |
Sign-in
9 | <% } %>
10 |
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/AppCreationScripts/sample.json:
--------------------------------------------------------------------------------
1 | {
2 | "Sample": {
3 | "Title": "A Node.js & Express web app authenticating users against Azure AD B2C with MSAL Node",
4 | "Level": 100,
5 | "Client": "Node.js & Express web app",
6 | "RepositoryUrl": "ms-identity-javascript-nodejs-tutorial",
7 | "Endpoint": "AAD v2.0",
8 | "Provider": "B2C"
9 | },
10 | "AADApps": [
11 | {
12 | "Id": "client",
13 | "Name": "msal-node-webapp",
14 | "Kind": "WebApp",
15 | "Audience": "AzureADandPersonalMicrosoftAccount",
16 | "HomePage": "http://localhost:4000",
17 | "ReplyUrls": "http://localhost:4000/redirect",
18 | "PasswordCredentials": "Auto",
19 | "Certificate": "Auto",
20 | "Sdk": "MsalNode",
21 | "SampleSubPath": "1-Authentication\\2-sign-in-b2c\\App"
22 | }
23 | ],
24 | "CodeConfiguration": [
25 | {
26 | "App": "client",
27 | "SettingKind": "Replace",
28 | "SettingFile": "\\..\\App\\authConfig.js",
29 | "Mappings": [
30 | {
31 | "key": "Enter_the_Application_Id_Here",
32 | "value": ".AppId"
33 | },
34 | {
35 | "key": "Enter_the_Tenant_Info_Here",
36 | "value": "$tenantId"
37 | },
38 | {
39 | "key": "Enter_the_Client_Secret_Here",
40 | "value": ".AppKey"
41 | }
42 | ]
43 | }
44 | ]
45 | }
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/ReadmeFiles/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/73e71223bd33720975bbed2b6518d4d8e2730913/1-Authentication/2-sign-in-b2c/ReadmeFiles/screenshot.png
--------------------------------------------------------------------------------
/1-Authentication/2-sign-in-b2c/ReadmeFiles/topology.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/73e71223bd33720975bbed2b6518d4d8e2730913/1-Authentication/2-sign-in-b2c/ReadmeFiles/topology.png
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/app.js:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | const path = require('path');
7 | const express = require('express');
8 | const session = require('express-session');
9 | const { WebAppAuthProvider } = require('msal-node-wrapper');
10 |
11 | const authConfig = require('./authConfig.js');
12 | const mainRouter = require('./routes/mainRoutes');
13 |
14 | async function main() {
15 |
16 | // initialize express
17 | const app = express();
18 |
19 | /**
20 | * Using express-session middleware. Be sure to familiarize yourself with available options
21 | * and set them as desired. Visit: https://www.npmjs.com/package/express-session
22 | */
23 | app.use(session({
24 | secret: 'ENTER_YOUR_SECRET_HERE',
25 | resave: false,
26 | saveUninitialized: false,
27 | cookie: {
28 | httpOnly: true,
29 | secure: process.env.NODE_ENV === "production", // set this to true on production
30 | }
31 | }));
32 |
33 | app.use(express.urlencoded({ extended: false }));
34 | app.use(express.json());
35 |
36 | app.set('views', path.join(__dirname, './views'));
37 | app.set('view engine', 'ejs');
38 |
39 | app.use('/css', express.static(path.join(__dirname, 'node_modules/bootstrap/dist/css')));
40 | app.use('/js', express.static(path.join(__dirname, 'node_modules/bootstrap/dist/js')));
41 |
42 | app.use(express.static(path.join(__dirname, './public')));
43 |
44 | try {
45 | // initialize the wrapper
46 | const authProvider = await WebAppAuthProvider.initialize(authConfig);
47 |
48 | // initialize the auth middleware before any route handlers
49 | app.use(authProvider.authenticate({
50 | protectAllRoutes: true, // this will force login for all routes if the user is not already
51 | acquireTokenForResources: {
52 | "graph.microsoft.com": { // you can specify the resource name as you wish
53 | scopes: ["User.Read"],
54 | routes: ["/profile"] // this will acquire a token for the graph on these routes
55 | },
56 | }
57 | }));
58 |
59 | app.use(mainRouter);
60 |
61 | /**
62 | * This error handler is needed to catch interaction_required errors thrown by MSAL.
63 | * Make sure to add it to your middleware chain after all your routers, but before any other
64 | * error handlers.
65 | */
66 | app.use(authProvider.interactionErrorHandler());
67 |
68 | return app;
69 | } catch (error) {
70 | console.log(error);
71 | process.exit(1);
72 | }
73 | }
74 |
75 | module.exports = main;
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/authConfig.js:
--------------------------------------------------------------------------------
1 | /**
2 | * For enhanced security, consider using client certificates instead of secrets.
3 | * See README-use-certificate.md for more.
4 | */
5 | const authConfig = {
6 | auth: {
7 | authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here",
8 | clientId: "Enter_the_Application_Id_Here",
9 | clientSecret: "Enter_the_Client_Secret_Here",
10 | // clientCertificate: {
11 | // thumbprint: "YOUR_CERT_THUMBPRINT",
12 | // privateKey: fs.readFileSync('PATH_TO_YOUR_PRIVATE_KEY_FILE'),
13 | // }
14 | redirectUri: "/redirect",
15 | },
16 | system: {
17 | loggerOptions: {
18 | loggerCallback: (logLevel, message, containsPii) => {
19 | if (containsPii) {
20 | return;
21 | }
22 | console.log(message);
23 | },
24 | piiLoggingEnabled: false,
25 | logLevel: 3,
26 | },
27 | }
28 | };
29 |
30 | module.exports = authConfig;
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/controllers/mainController.js:
--------------------------------------------------------------------------------
1 | const fetchManager = require('../utils/fetchManager');
2 | const graphManager = require('../utils/graphManager');
3 |
4 | exports.getHomePage = (req, res, next) => {
5 | const username = req.authContext.getAccount() ? req.authContext.getAccount().username : '';
6 | res.render('home', { isAuthenticated: req.authContext.isAuthenticated(), username: username });
7 | }
8 |
9 | exports.getIdPage = (req, res, next) => {
10 | const account = req.authContext.getAccount();
11 |
12 | const claims = {
13 | name: account.idTokenClaims.name,
14 | preferred_username: account.idTokenClaims.preferred_username,
15 | oid: account.idTokenClaims.oid,
16 | sub: account.idTokenClaims.sub
17 | };
18 |
19 | res.render('id', {isAuthenticated: req.authContext.isAuthenticated(), claims: claims});
20 | }
21 |
22 | exports.getProfilePage = async (req, res, next) => {
23 | try {
24 | /**
25 | * If you have configured your authenticate middleware accordingly, you should be
26 | * able to get the access token for the Microsoft Graph API from the cache. If not,
27 | * you will need to acquire and cache the token yourself.
28 | */
29 | let accessToken = req.authContext.getCachedTokenForResource("graph.microsoft.com");
30 |
31 | if (!accessToken) {
32 |
33 | /**
34 | * You can acquire a token for the Microsoft Graph API as shown below. Note that
35 | * if an interaction required error is thrown, you need to catch it and pass it
36 | * to the interactionErrorHandler middleware.
37 | */
38 | const tokenResponse = await req.authContext.acquireToken({
39 | scopes: ["User.Read"],
40 | account: req.authContext.getAccount(),
41 | })(req, res, next);
42 |
43 | accessToken = tokenResponse.accessToken;
44 | }
45 |
46 | const graphClient = graphManager.getAuthenticatedClient(accessToken);
47 |
48 | const profile = await graphClient
49 | .api('/me')
50 | .get();
51 |
52 | res.render('profile', { isAuthenticated: req.authContext.isAuthenticated(), profile: profile });
53 | } catch (error) {
54 | // pass error to error middleware for handling
55 | next(error);
56 | }
57 | }
58 |
59 | exports.getTenantPage = async (req, res, next) => {
60 | try {
61 | const tokenResponse = await req.authContext.acquireToken({
62 | scopes: ["https://management.azure.com/user_impersonation"],
63 | account: req.authContext.getAccount(),
64 | })(req, res, next);
65 |
66 | const tenant = await fetchManager.callAPI("https://management.azure.com/tenants?api-version=2020-01-01", tokenResponse.accessToken);
67 | res.render('tenant', { isAuthenticated: req.authContext.isAuthenticated(), tenant: tenant.value[0] });
68 | } catch (error) {
69 | next(error);
70 | }
71 | }
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "msal-node-tutorial-call-graph",
3 | "version": "1.0.0",
4 | "description": "A Node.js & Express web app calling Microsoft Graph using MSAL Node and MS Graph SDK",
5 | "main": "server.js",
6 | "scripts": {
7 | "start": "node server.js",
8 | "dev": "nodemon server.js",
9 | "test": "jest --forceExit",
10 | "postinstall": "cd ../../../Common/msal-node-wrapper && npm install"
11 | },
12 | "author": "derisen",
13 | "license": "MIT",
14 | "dependencies": {
15 | "@microsoft/microsoft-graph-client": "^3.0.7",
16 | "bootstrap": "^5.3.3",
17 | "ejs": "^3.1.10",
18 | "express": "^4.19.2",
19 | "express-session": "^1.18.0",
20 | "isomorphic-fetch": "^3.0.0",
21 | "msal-node-wrapper": "file:../../../Common/msal-node-wrapper"
22 | },
23 | "devDependencies": {
24 | "jest": "^29.7.0",
25 | "nodemon": "^3.1.0",
26 | "supertest": "^7.0.0"
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/public/style.css:
--------------------------------------------------------------------------------
1 | h1 {
2 | color: red;
3 | }
4 |
5 | #card-div {
6 | min-width: 40%;
7 | margin: 5% auto 5% auto;
8 | }
9 |
10 | #form-area-div {
11 | width: 55%;
12 | margin: 5% auto 5% auto;
13 | }
14 |
15 | .table-area-div {
16 | width: 70%;
17 | margin: 5% auto 5% auto;
18 | }
19 |
20 | .footer {
21 | position: fixed;
22 | left: 0;
23 | bottom: 0;
24 | width: 100%;
25 | text-align: center;
26 | }
27 |
28 |
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/routes/mainRoutes.js:
--------------------------------------------------------------------------------
1 | const express = require('express');
2 |
3 | const mainController = require('../controllers/mainController');
4 |
5 | // initialize router
6 | const router = express.Router();
7 |
8 | // app routes
9 | router.get('/', mainController.getHomePage);
10 |
11 | // secure routes
12 | router.get('/id', mainController.getIdPage);
13 |
14 | // auth routes
15 | router.get(
16 | '/signout',
17 | (req, res, next) => {
18 | return req.authContext.logout({
19 | postLogoutRedirectUri: "/",
20 | })(req, res, next);
21 | }
22 | );
23 |
24 | router.get(
25 | '/profile',
26 | mainController.getProfilePage
27 | );
28 |
29 | router.get(
30 | '/tenant',
31 | mainController.getTenantPage
32 | );
33 |
34 | module.exports = router;
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/sample.test.js:
--------------------------------------------------------------------------------
1 | const request = require('supertest');
2 |
3 | describe('Sanitize configuration object', () => {
4 | let authConfig;
5 |
6 | beforeAll(() => {
7 | authConfig = require('./authConfig.js');
8 | });
9 |
10 | it('should define the config object', () => {
11 | expect(authConfig).toBeDefined();
12 | });
13 |
14 | it('should not contain client Id', () => {
15 | const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
16 | expect(regexGuid.test(authConfig.auth.clientId)).toBe(false);
17 | });
18 |
19 | it('should not contain tenant Id', () => {
20 | const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
21 | expect(regexGuid.test(authConfig.auth.tenantId)).toBe(false);
22 | });
23 |
24 | it('should not contain client secret', () => {
25 | const regexSecret = /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{34,}$/;
26 | expect(regexSecret.test(authConfig.auth.clientSecret)).toBe(false);
27 | });
28 | });
29 |
30 | describe('Ensure pages served', () => {
31 | let app;
32 |
33 | beforeAll(async () => {
34 | process.env.NODE_ENV = 'test';
35 |
36 | const authConfig = require('./authConfig.js');
37 | const main = require('./app.js');
38 |
39 | authConfig.auth.authority = `https://login.microsoftonline.com/common`;
40 | authConfig.auth.clientId = "11111111-2222-3333-4444-111111111111";
41 | authConfig.auth.clientSecret = "11111111222233334444111111111111";
42 |
43 | app = await main();
44 | const SERVER_PORT = process.env.PORT || 4000;
45 | app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`));
46 | })
47 |
48 | it('should serve home page', async () => {
49 | const res = await request(app)
50 | .get('/');
51 |
52 | expect(res.statusCode).toEqual(302);
53 | });
54 |
55 | it('should protect id page', async () => {
56 | const res = await request(app)
57 | .get('/id');
58 |
59 | expect(res.statusCode).not.toEqual(200);
60 | });
61 | });
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/server.js:
--------------------------------------------------------------------------------
1 |
2 |
3 | const main = require("./app");
4 |
5 | (async () => {
6 | const app = await main();
7 | const SERVER_PORT = process.env.PORT || 4000;
8 | app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`));
9 | })();
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/utils/fetchManager.js:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | const fetch = require('isomorphic-fetch');
7 |
8 | /**
9 | * Simple function to call an Azure AD protected resource
10 | */
11 | callAPI = async(endpoint, accessToken) => {
12 |
13 | if (!accessToken || accessToken === "") {
14 | throw new Error('No tokens found')
15 | }
16 |
17 | const options = {
18 | headers: {
19 | Authorization: `Bearer ${accessToken}`
20 | }
21 | };
22 |
23 | console.log('request made to web API at: ' + new Date().toString());
24 |
25 | try {
26 | const response = await fetch(endpoint, options);
27 | return response.json();
28 | } catch(error) {
29 | console.log(error)
30 | return error;
31 | }
32 | }
33 |
34 | module.exports = {
35 | callAPI
36 | };
37 |
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/utils/graphManager.js:
--------------------------------------------------------------------------------
1 | const graph = require('@microsoft/microsoft-graph-client');
2 | require('isomorphic-fetch');
3 |
4 | /**
5 | * Creating a Graph client instance via options method. For more information, visit:
6 | * https://github.com/microsoftgraph/msgraph-sdk-javascript/blob/dev/docs/CreatingClientInstance.md#2-create-with-options
7 | */
8 | getAuthenticatedClient = (accessToken) => {
9 | // Initialize Graph client
10 | const client = graph.Client.init({
11 | // Use the provided access token to authenticate requests
12 | authProvider: (done) => {
13 | done(null, accessToken);
14 | }
15 | });
16 |
17 | return client;
18 | }
19 |
20 | module.exports = {
21 | getAuthenticatedClient,
22 | }
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/views/home.ejs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Home
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
17 |
18 |
19 | <% if (isAuthenticated) { %>
20 |
Welcome <%= username %>
21 |
Get my profile
22 |
Get my tenant
23 | <% } else { %>
24 |
Sign-in to access your resources
25 | <% } %>
26 |
27 |
28 |
29 |
ID
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Some of the important claims in your ID token are shown below:
17 |
20 |
21 |
22 |
23 | Claim
24 | Value
25 |
26 |
27 |
28 | <% for (const [key, value] of Object.entries(claims)) { %>
29 |
30 | <%= key %>
31 | <%= value %>
32 |
33 | <% } %>
34 |
35 |
36 |
2 | Microsoft identity platform
3 |
4 | <% if (isAuthenticated) { %>
5 |
ID
6 |
Sign-out
7 | <% } else { %>
8 |
Sign-in
9 | <% } %>
10 |
--------------------------------------------------------------------------------
/2-Authorization/1-call-graph/App/views/profile.ejs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Profile
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Calling Microsoft Graph API ...
17 |
18 | resource: User objectendpoint: https://graph.microsoft.com/v1.0/me scope: user.read
22 |
Contents of the response is below:
23 |
26 |
27 |
28 |
29 | Claim
30 | Value
31 |
32 |
33 |
34 | <% for (const [key, value] of Object.entries(profile)) { %>
35 |
36 | <%= key %>
37 | <%= value %>
38 |
39 | <% } %>
40 |
41 |
42 |
Tenant
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Calling Azure Resource Manager API ...
17 |
18 | resource: Tenant objectendpoint: https://management.azure.com/tenants?api-version=2020-01-01 scope: https://management.azure.com/user_impersonation
22 |
Contents of the response is below:
23 |
26 |
27 |
28 |
29 | Claim
30 | Value
31 |
32 |
33 |
34 | <% for (const [key, value] of Object.entries(tenant)) { %>
35 |
36 | <%= key %>
37 | <%= value %>
38 |
39 | <% } %>
40 |
41 |
42 |
Home
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
17 |
18 |
19 | <% if (isAuthenticated) { %>
20 |
Welcome <%= username %>
21 |
Get my profile
22 |
Get my tenant
23 | <% } else { %>
24 |
Sign-in to access your resources
25 | <% } %>
26 |
27 |
28 |
29 |
ID
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Some of the important claims in your ID token are shown below:
17 |
20 |
21 |
22 |
23 | Claim
24 | Value
25 |
26 |
27 |
28 | <% for (const [key, value] of Object.entries(claims)) { %>
29 |
30 | <%= key %>
31 | <%= value %>
32 |
33 | <% } %>
34 |
35 |
36 |
2 | Microsoft identity platform
3 |
4 | <% if (isAuthenticated) { %>
5 |
ID
6 |
Sign-out
7 | <% } else { %>
8 |
Sign-in
9 | <% } %>
10 |
--------------------------------------------------------------------------------
/3-Deployment/App/views/profile.ejs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Profile
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Calling Microsoft Graph API ...
17 |
18 | resource: User objectendpoint: https://graph.microsoft.com/v1.0/me scope: user.read
22 |
Contents of the response is below:
23 |
26 |
27 |
28 |
29 | Claim
30 | Value
31 |
32 |
33 |
34 | <% for (const [key, value] of Object.entries(profile)) { %>
35 |
36 | <%= key %>
37 | <%= value %>
38 |
39 | <% } %>
40 |
41 |
42 |
Tenant
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Calling Azure Resource Manager API ...
17 |
18 | resource: Tenant objectendpoint: https://management.azure.com/tenants?api-version=2020-01-01 scope: https://management.azure.com/user_impersonation
22 |
Contents of the response is below:
23 |
26 |
27 |
28 |
29 | Claim
30 | Value
31 |
32 |
33 |
34 | <% for (const [key, value] of Object.entries(tenant)) { %>
35 |
36 | <%= key %>
37 | <%= value %>
38 |
39 | <% } %>
40 |
41 |
42 |
Dashboard
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
You can only see this page if you are in TaskAdmin role
17 |
20 |
21 |
22 |
23 | Task
24 | Owner
25 |
26 |
27 |
28 | <% for (let i=0; i < todos.length; i++) { %>
29 |
30 | <%= todos[i]['name'] %>
31 | <%= todos[i]['owner'] %>
32 |
33 | <% } %>
34 |
35 |
36 |
Home
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
17 |
18 |
19 | <% if (isAuthenticated) { %>
20 |
Welcome <%= username %>
21 |
Todolist
22 |
Dashboard
23 | <% } else { %>
24 |
Sign-in to access your resources
25 | <% } %>
26 |
27 |
28 |
29 |
ID
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Some of the important claims in your ID token are shown below:
17 |
20 |
21 |
22 |
23 | Claim
24 | Value
25 |
26 |
27 |
28 | <% for (const [key, value] of Object.entries(claims)) { %>
29 |
30 | <%= key %>
31 | <%= value %>
32 |
33 | <% } %>
34 |
35 |
36 |
2 | Microsoft identity platform
3 |
4 | <% if (isAuthenticated) { %>
5 |
ID
6 |
Sign-out
7 | <% } else { %>
8 |
Sign-in
9 | <% } %>
10 |
--------------------------------------------------------------------------------
/4-AccessControl/1-app-roles/App/views/todolist.ejs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Todolist
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
You can see this page if you are in TaskUser or TaskAdmin role
17 |
20 |
24 |
25 |
26 |
27 |
28 |
29 | <% for (let i=0; i < todos.length; i++) { %>
30 |
31 | <%= todos[i]['name'] %>
32 |
33 |
38 |
39 |
40 | <% } %>
41 |
42 |
43 |
Dashboard
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
You can only see this page if you are in TaskAdmin role
17 |
20 |
21 |
22 |
23 | Task
24 | Owner
25 |
26 |
27 |
28 | <% for (let i=0; i < todos.length; i++) { %>
29 |
30 | <%= todos[i]['name'] %>
31 | <%= todos[i]['owner'] %>
32 |
33 | <% } %>
34 |
35 |
36 |
Home
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
17 |
18 |
19 | <% if (isAuthenticated) { %>
20 |
Welcome <%= username %>
21 |
Todolist
22 |
Dashboard
23 | <% } else { %>
24 |
Sign-in to access your resources
25 | <% } %>
26 |
27 |
28 |
29 |
ID
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
Some of the important claims in your ID token are shown below:
17 |
20 |
21 |
22 |
23 | Claim
24 | Value
25 |
26 |
27 |
28 | <% for (const [key, value] of Object.entries(claims)) { %>
29 |
30 | <%= key %>
31 | <%= value %>
32 |
33 | <% } %>
34 |
35 |
36 |
2 | Microsoft identity platform
3 |
4 | <% if (isAuthenticated) { %>
5 |
ID
6 |
Sign-out
7 | <% } else { %>
8 |
Sign-in
9 | <% } %>
10 |
--------------------------------------------------------------------------------
/4-AccessControl/2-security-groups/App/views/todolist.ejs:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Todolist
10 |
11 |
12 |
13 | <%- include('includes/navbar', {isAuthenticated: isAuthenticated}); %>
14 |
15 |
16 |
You can see this page if you are in GroupMember or GroupAdmin group
17 |
20 |
24 |
25 |
26 |
27 |
28 |
29 | <% for (let i=0; i < todos.length; i++) { %>
30 |
31 | <%= todos[i]['name'] %>
32 |
33 |
38 |
39 |
40 | <% } %>
41 |
42 |
43 |
2 |
3 |
4 |
7 |
8 |
14 |
15 | Icon-identity-221
16 |
24 |
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/public/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | MSAL Express Webapp | Azure
27 |
28 |
29 | You need to enable JavaScript to run this app.
30 |
31 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/public/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "short_name": "React App",
3 | "name": "Create React App Sample",
4 | "icons": [
5 | {
6 | "src": "favicon.svg",
7 | "sizes": "64x64 32x32 24x24 16x16",
8 | "type": "image/x-icon"
9 | }
10 | ],
11 | "start_url": ".",
12 | "display": "standalone",
13 | "theme_color": "#000000",
14 | "background_color": "#ffffff"
15 | }
16 |
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/public/robots.txt:
--------------------------------------------------------------------------------
1 | # https://www.robotstxt.org/robotstxt.html
2 | User-agent: *
3 | Disallow:
4 |
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/src/App.jsx:
--------------------------------------------------------------------------------
1 | import { PageLayout } from './components/PageLayout';
2 | import { Routes, Route } from 'react-router-dom';
3 |
4 | import { AuthProvider } from './context/AuthContext';
5 | import { Home } from './pages/Home';
6 | import { Profile } from './pages/Profile';
7 |
8 | import './styles/App.css';
9 |
10 | const Pages = () => {
11 | return (
12 |
13 |
16 | );
17 | };
18 |
19 | const App = () => {
20 | return (
21 |
22 |
23 |
25 |
26 | );
27 | };
28 |
29 | export default App;
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/src/components/NavigationBar.jsx:
--------------------------------------------------------------------------------
1 | import { Nav, Navbar, Button } from 'react-bootstrap';
2 |
3 | export const NavigationBar = ({ account, login, logout }) => {
4 | return (
5 | <>
6 |
7 |
8 | Microsoft identity platform
9 |
10 | {account ? (
11 | <>
12 |
13 | Profile
14 |
15 |
16 | { logout(); }}
22 | >
23 | Sign out
24 |
25 |
26 |
27 | ) : (
28 | <>
29 |
30 | { login(); }}
36 | >
37 | Sign in
38 |
39 |
40 |
41 | )}
42 |
43 |
44 | );
45 | };
46 |
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/src/components/PageLayout.jsx:
--------------------------------------------------------------------------------
1 | import { NavigationBar } from "./NavigationBar";
2 | import { useAuth } from '../context/AuthContext';
3 |
4 |
5 | export const PageLayout = (props) => {
6 | /**
7 | * Most applications will need to conditionally render certain components based on whether a user is signed in or not.
8 | * msal-react provides 2 easy ways to do this. AuthenticatedTemplate and UnauthenticatedTemplate components will
9 | * only render their children if a user is authenticated or unauthenticated, respectively.
10 | */
11 | const { account, login, logout } = useAuth();
12 |
13 | return (
14 | <>
15 |
18 | Microsoft Authentication Library For React - Tutorial
19 |
20 |
68 | {children}
69 |
70 | );
71 | };
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/src/index.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import ReactDOM from 'react-dom/client';
3 | import { BrowserRouter as Router } from 'react-router-dom';
4 |
5 | import App from './App';
6 |
7 | import 'bootstrap/dist/css/bootstrap.min.css';
8 | import './styles/index.css';
9 |
10 | const root = ReactDOM.createRoot(document.getElementById('root'));
11 | root.render(
12 |
13 |
14 |
16 |
17 | );
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/src/pages/Home.jsx:
--------------------------------------------------------------------------------
1 | import { Container } from 'react-bootstrap';
2 | import { IdTokenData } from '../components/DataDisplay';
3 | import { useAuth } from '../context/AuthContext';
4 |
5 | export const Home = () => {
6 | const { account } = useAuth();
7 |
8 | return (
9 | <>
10 |
11 | {account ?
13 |
14 | );
15 | };
--------------------------------------------------------------------------------
/5-AdvancedScenarios/1-call-graph-bff/App/client/src/pages/Profile.jsx:
--------------------------------------------------------------------------------
1 | import { useEffect, useState } from 'react';
2 | import { ProfileData } from '../components/DataDisplay';
3 | import { useAuth } from "../context/AuthContext";
4 |
5 | export const Profile = () => {
6 | const [graphData, setGraphData] = useState(null);
7 | const { account, login } = useAuth();
8 |
9 | const fetchProfileData = async () => {
10 | try {
11 | const response = await fetch('/auth/profile');
12 |
13 | if (response.ok) {
14 | const resData = await response.json();
15 | setGraphData(resData);
16 | } else if (response.status === 401) {
17 | const errorData = await response.json();
18 |
19 | if (errorData.scopes) {
20 | // if the error response contain scopes, pass them to the next login request
21 | login(window.location.href, errorData.scopes);
22 | } else {
23 | login(window.location.href);
24 | }
25 | }
26 | }
27 | catch (error) {
28 | console.log(error);
29 | }
30 | }
31 |
32 | useEffect(() => {
33 | if (!!graphData) {
34 | return;
35 | }
36 |
37 | fetchProfileData();
38 | }, [account, graphData]);
39 |
40 | return <>{graphData ? /test/**/*.spec.ts"
18 | ],
19 | transform: {
20 | "^.+\\.(ts|tsx)$": "ts-jest",
21 | },
22 | coverageReporters: [["lcov", { "projectRoot": "./" }]]
23 | };
24 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "version": "1.0.0-beta",
3 | "license": "MIT",
4 | "main": "dist/index.js",
5 | "types": "dist/index.d.ts",
6 | "files": [
7 | "dist"
8 | ],
9 | "engines": {
10 | "node": "16 || 18 || 20 || 22"
11 | },
12 | "repository": {
13 | "type": "git",
14 | "url": "git://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial.git"
15 | },
16 | "scripts": {
17 | "build": "rollup -c --strictDeprecations --bundleConfigAsCjs",
18 | "build:watch": "rollup -c --watch --strictDeprecations --bundleConfigAsCjs",
19 | "test": "jest",
20 | "test:watch": "jest --watch",
21 | "test:coverage": "jest --coverage",
22 | "lint": "eslint . --ext .ts",
23 | "lint:fix": "npm run lint -- --fix",
24 | "docs": "typedoc"
25 | },
26 | "name": "msal-node-wrapper",
27 | "author": "Microsoft",
28 | "module": "dist/msal-node-wrapper.esm.js",
29 | "devDependencies": {
30 | "@rollup/plugin-node-resolve": "^15.0.1",
31 | "@rollup/plugin-typescript": "^11.0.0",
32 | "@types/express": "^4.17.13",
33 | "@types/express-session": "^1.17.4",
34 | "@types/jest": "^25.2.3",
35 | "@types/node": "^13.13.4",
36 | "@types/sinon": "^10.0.14",
37 | "@typescript-eslint/eslint-plugin": "^5.54.1",
38 | "@typescript-eslint/parser": "^5.54.1",
39 | "eslint": "^8.35.0",
40 | "eslint-plugin-header": "^3.1.1",
41 | "eslint-plugin-import": "^2.27.5",
42 | "eslint-plugin-security": "^1.7.1",
43 | "jest": "^29.5.0",
44 | "rollup": "^3.20.1",
45 | "sinon": "^15.0.4",
46 | "supertest": "^6.1.6",
47 | "ts-jest": "^29.0.5",
48 | "tslib": "^1.10.0",
49 | "typedoc": "^0.23.28",
50 | "typescript": "^4.9.5"
51 | },
52 | "dependencies": {
53 | "@azure/msal-node": "^2.7.0",
54 | "axios": "^1.6.8",
55 | "express": "^4.19.2",
56 | "express-session": "^1.17.3"
57 | }
58 | }
59 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/rollup.config.js:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | /* eslint-disable import/no-commonjs */
7 |
8 | import { nodeResolve } from "@rollup/plugin-node-resolve";
9 | import typescript from "@rollup/plugin-typescript";
10 | import pkg from "./package.json";
11 |
12 | const libraryHeader = `/*! ${pkg.name} v${pkg.version} ${new Date().toISOString().split("T")[0]} */`;
13 | const useStrictHeader = "'use strict';";
14 | const fileHeader = `${libraryHeader}\n${useStrictHeader}`;
15 |
16 | export default [
17 | {
18 | // for cjs build
19 | input: "src/index.ts",
20 | output: {
21 | dir: "dist",
22 | format: "cjs",
23 | preserveModules: true,
24 | preserveModulesRoot: "src",
25 | banner: fileHeader,
26 | sourcemap: true
27 | },
28 | treeshake: {
29 | moduleSideEffects: false,
30 | propertyReadSideEffects: false
31 | },
32 | external: [
33 | ...Object.keys(pkg.dependencies || {}),
34 | ...Object.keys(pkg.peerDependencies || {})
35 | ],
36 | plugins: [
37 | typescript({
38 | typescript: require("typescript"),
39 | tsconfig: "tsconfig.build.json"
40 | }),
41 | nodeResolve()
42 | ]
43 | },
44 | {
45 | // for esm build
46 | input: "src/index.ts",
47 | output: {
48 | dir: "dist",
49 | format: "esm",
50 | entryFileNames: "[name].esm.js",
51 | preserveModules: true,
52 | preserveModulesRoot: "src",
53 | banner: fileHeader,
54 | sourcemap: true
55 | },
56 | treeshake: {
57 | moduleSideEffects: false,
58 | propertyReadSideEffects: false
59 | },
60 | external: [
61 | ...Object.keys(pkg.dependencies || {}),
62 | ...Object.keys(pkg.peerDependencies || {})
63 | ],
64 | plugins: [
65 | typescript({
66 | typescript: require("typescript"),
67 | tsconfig: "tsconfig.build.json"
68 | }),
69 | nodeResolve()
70 | ]
71 | }
72 |
73 | ];
74 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/config/ConfigurationTypes.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { NodeAuthOptions, NodeSystemOptions, CacheOptions } from "@azure/msal-node";
7 |
8 | export type AuthConfig = {
9 | auth: Omit;
10 | system?: NodeSystemOptions,
11 | cache?: CacheOptions
12 | };
13 |
14 | export type WebAppAuthConfig = AuthConfig & {
15 | auth: NodeAuthOptions & AuthRoutes;
16 | };
17 |
18 | export type AuthRoutes = {
19 | redirectUri: string;
20 | frontChannelLogoutUri?: string;
21 | postLogoutRedirectUri?: string;
22 | };
23 |
24 | export type ProtectedResourcesMap = Record;
25 |
26 | export type ProtectedResourceParams = {
27 | scopes: Array,
28 | routes: Array
29 | };
30 |
31 | export enum AppType {
32 | WebApp
33 | }
34 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/error/AccessDeniedError.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { AuthError, AccountInfo } from "@azure/msal-node";
7 |
8 | /**
9 | * Contains string constants used by error codes and messages.
10 | */
11 | export const AccessDeniedErrorMessage = {
12 | unauthorizedAccessError: {
13 | code: "401",
14 | desc: "Unauthorized"
15 | },
16 | forbiddenAccessError: {
17 | code: "403",
18 | desc: "Forbidden"
19 | }
20 | };
21 |
22 | /**
23 | * Error thrown when the user is not authorized to access a route
24 | */
25 | export class AccessDeniedError extends AuthError {
26 | route?: string;
27 | account?: AccountInfo;
28 |
29 | constructor(errorCode: string, errorMessage?: string, route?: string, account?: AccountInfo) {
30 | super(errorCode, errorMessage);
31 | this.name = "AccessDeniedError";
32 | this.route = route;
33 | this.account = account;
34 |
35 | Object.setPrototypeOf(this, AccessDeniedError.prototype);
36 | }
37 |
38 | /**
39 | * Creates an error when access is unauthorized
40 | *
41 | * @returns {AccessDeniedError} Empty issuer error
42 | */
43 | static createUnauthorizedAccessError(route?: string, account?: AccountInfo): AccessDeniedError {
44 | return new AccessDeniedError(
45 | AccessDeniedErrorMessage.unauthorizedAccessError.code,
46 | AccessDeniedErrorMessage.unauthorizedAccessError.desc,
47 | route,
48 | account
49 | );
50 | }
51 |
52 | /**
53 | * Creates an error when the access is forbidden
54 | *
55 | * @returns {AccessDeniedError} Empty issuer error
56 | */
57 | static createForbiddenAccessError(route?: string, account?: AccountInfo): AccessDeniedError {
58 | return new AccessDeniedError(
59 | AccessDeniedErrorMessage.forbiddenAccessError.code,
60 | AccessDeniedErrorMessage.forbiddenAccessError.desc,
61 | route,
62 | account
63 | );
64 | }
65 | }
66 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/error/InteractionRequiredError.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { InteractionRequiredAuthError } from "@azure/msal-node";
7 | import { LoginOptions, TokenRequestOptions } from "../middleware/MiddlewareOptions";
8 |
9 | /**
10 | * Error thrown when user interaction is required.
11 | */
12 | export class InteractionRequiredError extends InteractionRequiredAuthError {
13 | requestOptions: LoginOptions;
14 |
15 | constructor(errorCode: string, errorMessage?: string, subError?: string, originalRequest?: TokenRequestOptions) {
16 | super(errorCode, errorMessage, subError);
17 | this.name = "InteractionRequiredError";
18 | this.requestOptions = {
19 | scopes: originalRequest?.scopes || [],
20 | claims: originalRequest?.claims,
21 | state: originalRequest?.state,
22 | sid: originalRequest?.sid,
23 | loginHint: originalRequest?.loginHint,
24 | domainHint: originalRequest?.domainHint,
25 | extraQueryParameters: originalRequest?.extraQueryParameters,
26 | extraScopesToConsent: originalRequest?.extraScopesToConsent,
27 | tokenBodyParameters: originalRequest?.tokenBodyParameters,
28 | tokenQueryParameters: originalRequest?.tokenQueryParameters,
29 | };
30 |
31 | Object.setPrototypeOf(this, InteractionRequiredError.prototype);
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/index.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { AccountInfo, AuthenticationResult, AuthorizationCodeRequest } from "@azure/msal-node";
7 | import { AuthContext } from "./middleware/context/AuthContext";
8 |
9 | declare module "express-session" {
10 | interface SessionData {
11 | account: AccountInfo;
12 | isAuthenticated: boolean;
13 | protectedResources: Record
14 | tokenRequestParams: AuthorizationCodeRequest;
15 | tokenCache?: string,
16 | }
17 | }
18 |
19 | declare global {
20 | // eslint-disable-next-line @typescript-eslint/no-namespace
21 | namespace Express {
22 | export interface Request {
23 | authContext: AuthContext;
24 | }
25 | }
26 | }
27 |
28 | export {
29 | InteractionRequiredAuthError,
30 | NodeSystemOptions,
31 | AuthError,
32 | Logger,
33 | AccountInfo
34 | } from "@azure/msal-node";
35 |
36 | export { WebAppAuthProvider } from "./provider/WebAppAuthProvider";
37 | export { AuthContext, RequestContext } from "./middleware/context/AuthContext";
38 |
39 | export {
40 | WebAppAuthConfig,
41 | AuthConfig,
42 | AuthRoutes,
43 | ProtectedResourceParams,
44 | ProtectedResourcesMap,
45 | } from "./config/ConfigurationTypes";
46 |
47 | export {
48 | RouteGuardOptions,
49 | AuthenticateMiddlewareOptions,
50 | LoginOptions,
51 | LogoutOptions,
52 | TokenRequestOptions,
53 | AppState,
54 | IdTokenClaims,
55 | } from "./middleware/MiddlewareOptions";
56 |
57 | export { AccessDeniedError } from "./error/AccessDeniedError";
58 |
59 | export { InteractionRequiredError } from "./error/InteractionRequiredError";
60 |
61 | export { packageVersion } from "./packageMetadata";
62 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/middleware/MiddlewareOptions.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { CommonEndSessionRequest, TokenClaims } from "@azure/msal-common";
7 | import { AuthorizationUrlRequest, AuthorizationCodeRequest, AccountInfo } from "@azure/msal-node";
8 | import { ProtectedResourcesMap } from "../config/ConfigurationTypes";
9 |
10 | export type AuthenticateMiddlewareOptions = {
11 | protectAllRoutes?: boolean;
12 | acquireTokenForResources?: ProtectedResourcesMap
13 | };
14 |
15 | export type LoginOptions = Pick & Pick & {
16 | postLoginRedirectUri?: string;
17 | postFailureRedirectUri?: string;
18 | };
19 |
20 | export type LogoutOptions = Pick & {
21 | postLogoutRedirectUri?: string;
22 | idpLogout?: boolean;
23 | clearCache?: boolean;
24 | };
25 |
26 | export type TokenRequestOptions = LoginOptions & {
27 | account?: AccountInfo;
28 | };
29 |
30 | export type TokenRequestMiddlewareOptions = {
31 | resourceName: string;
32 | };
33 |
34 | export type RouteGuardOptions = {
35 | forceLogin?: boolean;
36 | postLoginRedirectUri?: string;
37 | postFailureRedirectUri?: string;
38 | idTokenClaims?: IdTokenClaims;
39 | };
40 |
41 | export type AppState = {
42 | redirectTo: string;
43 | customState?: string;
44 | };
45 |
46 | export type IdTokenClaims = TokenClaims & {
47 | aud?: string;
48 | roles?: string[];
49 | groups?: string[];
50 | _claim_names?: string[];
51 | _claim_sources?: string[];
52 | xms_cc?: string;
53 | acrs?: string[];
54 | [key: string]: string | number | string[] | object | undefined | unknown;
55 | };
56 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/middleware/errorMiddleware.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { Request, Response, NextFunction, ErrorRequestHandler } from "express";
7 | import { WebAppAuthProvider } from "../provider/WebAppAuthProvider";
8 | import { InteractionRequiredError } from "../error/InteractionRequiredError";
9 |
10 | function errorMiddleware(this: WebAppAuthProvider): ErrorRequestHandler {
11 | return (err: unknown, req: Request, res: Response, next: NextFunction): Response | void => {
12 | if (err instanceof InteractionRequiredError) {
13 | return req.authContext.login({
14 | postLoginRedirectUri: err.requestOptions.postLoginRedirectUri || req.originalUrl,
15 | ...err.requestOptions
16 | })(req, res, next);
17 | }
18 |
19 | next(err);
20 | };
21 | }
22 |
23 | export default errorMiddleware;
24 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/middleware/guardMiddleware.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { Request, Response, NextFunction, RequestHandler } from "express";
7 | import { WebAppAuthProvider } from "../provider/WebAppAuthProvider";
8 | import { RouteGuardOptions } from "./MiddlewareOptions";
9 | import { AccessDeniedError } from "../error/AccessDeniedError";
10 |
11 | function guardMiddleware(
12 | this: WebAppAuthProvider,
13 | options: RouteGuardOptions
14 | ): RequestHandler {
15 | return (req: Request, res: Response, next: NextFunction): void | Response => {
16 | if (!req.authContext.isAuthenticated()) {
17 | if (options.forceLogin) {
18 | return req.authContext.login({
19 | postLoginRedirectUri: req.originalUrl,
20 | scopes: [],
21 | })(req, res, next);
22 | }
23 |
24 | return next(AccessDeniedError.createUnauthorizedAccessError(req.originalUrl, req.authContext.getAccount()));
25 | }
26 |
27 | if (options.idTokenClaims) {
28 | const tokenClaims = req.authContext.getAccount()?.idTokenClaims || {};
29 | const requiredClaims = options.idTokenClaims;
30 |
31 | const hasClaims = Object.keys(requiredClaims).every((claim: string) => {
32 | if (requiredClaims[claim] && tokenClaims[claim]) {
33 | switch (typeof requiredClaims[claim]) {
34 | case "string" || "number":
35 | return requiredClaims[claim] === tokenClaims[claim];
36 |
37 | case "object":
38 | if (Array.isArray(requiredClaims[claim])) {
39 | const requiredClaimsArray = requiredClaims[claim] as [];
40 | const tokenClaimsArray = tokenClaims[claim] as [];
41 |
42 | return requiredClaimsArray.some(
43 | (requiredClaim) => tokenClaimsArray.indexOf(requiredClaim) >= 0
44 | );
45 | }
46 | break;
47 |
48 | default:
49 | break;
50 | }
51 | }
52 |
53 | return false;
54 | });
55 |
56 | if (!hasClaims) {
57 | return next(AccessDeniedError.createForbiddenAccessError(req.originalUrl, req.authContext.getAccount()));
58 | }
59 | }
60 |
61 | next();
62 | };
63 | }
64 |
65 | export default guardMiddleware;
66 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/middleware/handlers/loginHandler.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { Request, Response, NextFunction, RequestHandler } from "express";
7 | import { ResponseMode } from "@azure/msal-common";
8 | import { AuthorizationCodeRequest, AuthorizationUrlRequest } from "@azure/msal-node";
9 | import { WebAppAuthProvider } from "../../provider/WebAppAuthProvider";
10 | import { LoginOptions, AppState } from "../MiddlewareOptions";
11 | import { UrlUtils } from "../../utils/UrlUtils";
12 | import { EMPTY_STRING } from "../../utils/Constants";
13 |
14 | function loginHandler(
15 | this: WebAppAuthProvider,
16 | options: LoginOptions
17 | ): RequestHandler {
18 | return async (req: Request, res: Response, next: NextFunction): Promise => {
19 | this.getLogger().trace("loginHandler called");
20 |
21 | const state: AppState = {
22 | redirectTo: options.postLoginRedirectUri || "/",
23 | customState: options.state
24 | };
25 |
26 | const authUrlParams: AuthorizationUrlRequest = {
27 | state: this.getCryptoProvider().base64Encode(JSON.stringify(state)),
28 | redirectUri: UrlUtils.ensureAbsoluteUrl(
29 | this.webAppAuthConfig.auth.redirectUri,
30 | req.protocol,
31 | req.get("host") || req.hostname
32 | ),
33 | responseMode: ResponseMode.FORM_POST,
34 | scopes: options.scopes || [],
35 | prompt: options.prompt || undefined,
36 | claims: options.claims || undefined,
37 | account: options.account || undefined,
38 | sid: options.sid || undefined,
39 | loginHint: options.loginHint || undefined,
40 | domainHint: options.domainHint || undefined,
41 | extraQueryParameters: options.extraQueryParameters || undefined,
42 | extraScopesToConsent: options.extraScopesToConsent || undefined,
43 | };
44 |
45 | req.session.tokenRequestParams = {
46 | scopes: authUrlParams.scopes,
47 | state: authUrlParams.state,
48 | redirectUri: authUrlParams.redirectUri,
49 | claims: authUrlParams.claims,
50 | tokenBodyParameters: options.tokenBodyParameters,
51 | tokenQueryParameters: options.tokenQueryParameters,
52 | code: EMPTY_STRING,
53 | } as AuthorizationCodeRequest;
54 |
55 | try {
56 | const response = await this.getMsalClient().getAuthCodeUrl(authUrlParams);
57 | res.redirect(response);
58 | } catch (error) {
59 | next(error);
60 | }
61 | };
62 | }
63 |
64 | export default loginHandler;
65 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/middleware/handlers/logoutHandler.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { Request, Response, RequestHandler } from "express";
7 | import { WebAppAuthProvider } from "../../provider/WebAppAuthProvider";
8 | import { LogoutOptions } from "../MiddlewareOptions";
9 | import { UrlUtils } from "../../utils/UrlUtils";
10 |
11 | function logoutHandler(
12 | this: WebAppAuthProvider,
13 | options: LogoutOptions
14 | ): RequestHandler {
15 | return async (req: Request, res: Response): Promise => {
16 | this.getLogger().trace("logoutHandler called");
17 |
18 | const shouldLogoutFromIdp = options.idpLogout ? options.idpLogout : true;
19 | let logoutUri = options.postLogoutRedirectUri || "/";
20 |
21 | const account = req.authContext.getAccount();
22 |
23 | if (account) {
24 | try {
25 | const tokenCache = this.getMsalClient().getTokenCache();
26 | const cachedAccount = await tokenCache.getAccountByHomeId(account.homeAccountId);
27 |
28 | if (cachedAccount) {
29 | await tokenCache.removeAccount(cachedAccount);
30 | }
31 | } catch (error) {
32 | this.logger.error(`Error occurred while clearing cache for user: ${JSON.stringify(error)}`);
33 | }
34 | }
35 |
36 | if (shouldLogoutFromIdp) {
37 | /**
38 | * Construct a logout URI and redirect the user to end the
39 | * session with Azure AD. For more information, visit:
40 | * (AAD) https://docs.microsoft.com/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request
41 | * (B2C) https://docs.microsoft.com/azure/active-directory-b2c/openid-connect#send-a-sign-out-request
42 | */
43 |
44 | const postLogoutRedirectUri = UrlUtils.ensureAbsoluteUrl(
45 | options.postLogoutRedirectUri || "/",
46 | req.protocol,
47 | req.get("host") || req.hostname
48 | );
49 |
50 | // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
51 | logoutUri = `${UrlUtils.enforceTrailingSlash(this.getMsalConfig().auth.authority!)}/oauth2/v2.0/logout?post_logout_redirect_uri=${postLogoutRedirectUri}`;
52 | }
53 |
54 | req.session.destroy(() => {
55 | res.redirect(logoutUri);
56 | });
57 | };
58 | }
59 |
60 | export default logoutHandler;
61 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/middleware/handlers/redirectHandler.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { Request, Response, NextFunction, RequestHandler } from "express";
7 | import { StringUtils } from "@azure/msal-common";
8 | import { AuthorizationCodePayload, AuthorizationCodeRequest } from "@azure/msal-node";
9 | import { WebAppAuthProvider } from "../../provider/WebAppAuthProvider";
10 | import { AppState } from "../MiddlewareOptions";
11 | import { ErrorMessages } from "../../utils/Constants";
12 |
13 | function redirectHandler(this: WebAppAuthProvider): RequestHandler {
14 | return async (req: Request, res: Response, next: NextFunction): Promise => {
15 | this.getLogger().trace("redirectHandler called");
16 |
17 | if (!req.body || !req.body.code) {
18 | return next(new Error(ErrorMessages.AUTH_CODE_RESPONSE_NOT_FOUND));
19 | }
20 |
21 | const tokenRequest = {
22 | ...req.session.tokenRequestParams,
23 | code: req.body.code as string
24 | } as AuthorizationCodeRequest;
25 |
26 | try {
27 | const msalInstance = this.getMsalClient();
28 |
29 | if (req.session.tokenCache) {
30 | msalInstance.getTokenCache().deserialize(req.session.tokenCache);
31 | }
32 |
33 | const tokenResponse = await msalInstance.acquireTokenByCode(
34 | tokenRequest,
35 | req.body as AuthorizationCodePayload
36 | );
37 |
38 | req.session.tokenCache = msalInstance.getTokenCache().serialize();
39 | // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
40 | req.session.account = tokenResponse.account!; // account will never be null in this grant type
41 | req.session.isAuthenticated = true;
42 |
43 | const { redirectTo } = req.body.state ?
44 | StringUtils.jsonParseHelper(
45 | this.getCryptoProvider().base64Decode(req.body.state as string)
46 | ) as AppState
47 | :
48 | { redirectTo: "/" };
49 |
50 | res.redirect(redirectTo);
51 | } catch (error) {
52 | next(error);
53 | }
54 | };
55 | }
56 |
57 | export default redirectHandler;
58 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/packageMetadata.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | export const packageName = "msal-node-wrapper";
7 | export const packageVersion = "beta";
8 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/provider/BaseAuthProvider.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { Logger } from "@azure/msal-common";
7 | import { ConfidentialClientApplication, Configuration, CryptoProvider } from "@azure/msal-node";
8 | import { AuthConfig } from "../config/ConfigurationTypes";
9 | import { DEFAULT_LOGGER_OPTIONS } from "../utils/Constants";
10 | import { packageName, packageVersion } from "../packageMetadata";
11 |
12 | export abstract class BaseAuthProvider {
13 | protected authConfig: AuthConfig;
14 | protected msalConfig: Configuration;
15 | protected cryptoProvider: CryptoProvider;
16 | protected logger: Logger;
17 |
18 | protected constructor(authConfig: AuthConfig, msalConfig: Configuration) {
19 | this.authConfig = authConfig;
20 | this.msalConfig = msalConfig;
21 | this.cryptoProvider = new CryptoProvider();
22 | this.logger = new Logger(
23 | this.msalConfig.system?.loggerOptions || DEFAULT_LOGGER_OPTIONS,
24 | packageName,
25 | packageVersion
26 | );
27 | }
28 |
29 | getAuthConfig(): AuthConfig {
30 | return this.authConfig;
31 | }
32 |
33 | getMsalConfig(): Configuration {
34 | return this.msalConfig;
35 | }
36 |
37 | getCryptoProvider(): CryptoProvider {
38 | return this.cryptoProvider;
39 | }
40 |
41 | getLogger(): Logger {
42 | return this.logger;
43 | }
44 |
45 | getMsalClient(): ConfidentialClientApplication {
46 | return new ConfidentialClientApplication(this.msalConfig);
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/src/utils/UrlUtils.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { IUri, UrlString } from "@azure/msal-common";
7 | import { Request } from "express";
8 |
9 | export class UrlUtils {
10 | /**
11 | * Returns the absolute URL from a given request and path string
12 | * @param {string} url: a given URL
13 | * @param {string} protocol: protocol of the request
14 | * @param {string} host: host of the request
15 | * @returns {string}
16 | */
17 | static ensureAbsoluteUrl = (url: string, protocol: string, host: string): string => {
18 | const urlComponents: IUri = new UrlString(url).getUrlComponents();
19 |
20 | if (!urlComponents.Protocol) {
21 | if (!urlComponents.HostNameAndPort && !url.startsWith("www")) {
22 | if (!url.startsWith("/")) {
23 | return protocol + "://" + host + "/" + url;
24 | }
25 | return protocol + "://" + host + url;
26 | }
27 | return protocol + "://" + url;
28 | } else {
29 | return url;
30 | }
31 | };
32 |
33 | /**
34 | * Given a URL string, ensures that it is an absolute URL
35 | * @param {Request} req: Express request object
36 | * @param {string} url: a given URL
37 | * @returns {string}
38 | */
39 | static ensureAbsoluteUrlFromRequest = (req: Request, url?: string): string => {
40 | if (url) {
41 | return UrlUtils.ensureAbsoluteUrl(url, req.protocol, req.get("host") || req.hostname);
42 | } else {
43 | return UrlUtils.ensureAbsoluteUrl(req.originalUrl, req.protocol, req.get("host") || req.hostname);
44 | }
45 | };
46 |
47 | /**
48 | * Checks if the URL from a given request matches a given URL
49 | * @param {Request} req: Express request object
50 | * @param {string} url: a given URL
51 | * @returns {boolean}
52 | */
53 | static checkIfRequestsMatch = (req: Request, url: string): boolean => {
54 | return UrlUtils.ensureAbsoluteUrlFromRequest(req) === UrlUtils.ensureAbsoluteUrlFromRequest(req, url);
55 | };
56 |
57 | /**
58 | * Returns the path segment from a given URL
59 | * @param {string} url: a given URL
60 | * @returns {string}
61 | */
62 | static getPathFromUrl = (url: string): string => {
63 | const urlComponents: IUri = new UrlString(url).getUrlComponents();
64 | return `/${urlComponents.PathSegments.join("/")}`;
65 | };
66 |
67 | /**
68 | * Ensures that the path contains a leading slash at the start
69 | * @param {string} path: a given path
70 | * @returns {string}
71 | */
72 | static enforceLeadingSlash = (path: string): string => {
73 | return path.split("")[0] === "/" ? path : "/" + path;
74 | };
75 |
76 | /**
77 | * Ensures that the URL contains a trailing slash at the end
78 | * @param {string} url: a given path
79 | * @returns {string}
80 | */
81 | static enforceTrailingSlash = (url: string): string => {
82 | return url.endsWith("/") ? url : url + "/";
83 | };
84 | }
85 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/test/config/ConfigurationHelper.spec.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { ConfigurationHelper } from "../../src/config/ConfigurationHelper";
7 | import { TEST_AUTH_CONFING, TEST_MSAL_CONFIG } from "../TestConstants";
8 |
9 | describe("MSAL configuration builder tests", () => {
10 | it("should instantiate a valid msal configuration object", () => {
11 | const msalConfig = ConfigurationHelper.getMsalConfiguration(TEST_AUTH_CONFING);
12 |
13 | expect(msalConfig).toBeDefined();
14 |
15 | expect(msalConfig).toMatchObject(TEST_MSAL_CONFIG);
16 | });
17 | });
18 |
19 | describe("Configuration helper tests", () => {
20 |
21 | it("should detect a GUID", () => {
22 | const guid1 = "0D4C9F3E-A8C5-4D4C-B8B0-C8E8E8E8E8E8";
23 | const guid2 = "81b8a568-2442-4d53-8d6c-ededab4b7c62";
24 | const guid3 = "81b8a56824424d538d6cededab4b7c62";
25 | const guid4 = "Very pleasant pineapple";
26 | const guid5 = "";
27 |
28 | expect(ConfigurationHelper.isGuid(guid1)).toBe(true);
29 | expect(ConfigurationHelper.isGuid(guid2)).toBe(true);
30 | expect(ConfigurationHelper.isGuid(guid3)).toBe(false);
31 | expect(ConfigurationHelper.isGuid(guid4)).toBe(false);
32 | expect(ConfigurationHelper.isGuid(guid5)).toBe(false);
33 | });
34 |
35 | it("should get effective scopes from a given list of scopes", () => {
36 | const scopes = "email openid profile offline_access User.Read calendars.read".split(" ");
37 | const effectiveScopes = ConfigurationHelper.getEffectiveScopes(scopes);
38 | expect(effectiveScopes).toEqual(["User.Read", "calendars.read"]);
39 | expect(["User.Read", "calendars.read"].every(elem => effectiveScopes.includes(elem))).toBe(true);
40 | });
41 |
42 | it("should return instance from a given authority", () => {
43 | expect(ConfigurationHelper.getInstanceFromAuthority("https://login.microsoftonline.com/81b8a56824424d538d6cededab4b7c62"))
44 | .toBe("login.microsoftonline.com");
45 |
46 | expect(ConfigurationHelper.getInstanceFromAuthority("https://login.microsoftonline.com/81b8a56824424d538d6cededab4b7c62/"))
47 | .toBe("login.microsoftonline.com");
48 | });
49 |
50 | it("should return tenantId from a given authority", () => {
51 | expect(ConfigurationHelper.getTenantIdFromAuthority("https://login.microsoftonline.com/81b8a56824424d538d6cededab4b7c62"))
52 | .toBe("81b8a56824424d538d6cededab4b7c62");
53 |
54 | expect(ConfigurationHelper.getTenantIdFromAuthority("https://login.microsoftonline.com/81b8a56824424d538d6cededab4b7c62/"))
55 | .toBe("81b8a56824424d538d6cededab4b7c62");
56 |
57 | expect(ConfigurationHelper.getTenantIdFromAuthority("https://login.microsoftonline.com/mytenant.onmicrosoft.com"))
58 | .toBe("mytenant.onmicrosoft.com");
59 | });
60 |
61 | });
62 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/test/utils/UrlUtils.spec.ts:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) Microsoft Corporation. All rights reserved.
3 | * Licensed under the MIT License.
4 | */
5 |
6 | import { UrlUtils } from "../../src/utils/UrlUtils";
7 |
8 | describe("Url utilities tests", () => {
9 | it("should ensure a given url is absolute", () => {
10 | const absoluteUrl = "https://www.microsoft.com/myPath";
11 |
12 | const url1 = "/myPath";
13 | const url2 = "myPath";
14 | const url3 = "www.microsoft.com/myPath";
15 | const protocol = "https";
16 | const host = "www.microsoft.com";
17 |
18 | expect(UrlUtils.ensureAbsoluteUrl(url1, protocol, host)).toBe(absoluteUrl);
19 | expect(UrlUtils.ensureAbsoluteUrl(url2, protocol, host)).toBe(absoluteUrl);
20 | expect(UrlUtils.ensureAbsoluteUrl(url3, protocol, host)).toBe(absoluteUrl);
21 | });
22 |
23 | it("should get path component from a given url", () => {
24 | const url1 = "https://localhost:8080/path/to/resource";
25 | const url2 = "https://localhost:8080/path/to/resource?query=value";
26 | const url3 = "https://localhost:8080/path/to/resource#fragment";
27 | const url4 = "https://localhost:8080/path/to/resource?query=value#fragment";
28 | const url5 = "/path/to/resource";
29 |
30 | expect(UrlUtils.getPathFromUrl(url1)).toEqual("/path/to/resource");
31 | expect(UrlUtils.getPathFromUrl(url2)).toEqual("/path/to/resource");
32 | expect(UrlUtils.getPathFromUrl(url3)).toEqual("/path/to/resource");
33 | expect(UrlUtils.getPathFromUrl(url4)).toEqual("/path/to/resource");
34 | expect(UrlUtils.getPathFromUrl(url5)).toEqual("/path/to/resource");
35 | });
36 | });
37 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/tsconfig.build.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "./tsconfig.json",
3 | "compilerOptions": {
4 | "rootDir": "./src"
5 | },
6 | "include": ["src"]
7 | }
8 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "include": [
3 | "src",
4 | "test"
5 | ],
6 | "exclude": [
7 | "node_modules"
8 | ],
9 | "compilerOptions": {
10 | "target": "es2020",
11 | "module": "esnext",
12 | "declaration": true,
13 | "declarationMap": true,
14 | "lib": [
15 | "dom",
16 | "esnext"
17 | ],
18 | "importHelpers": true,
19 | "sourceMap": true,
20 | "rootDir": "./",
21 | "outDir": "./dist",
22 | "strict": true,
23 | "noImplicitAny": true,
24 | "strictNullChecks": true,
25 | "strictFunctionTypes": true,
26 | "strictPropertyInitialization": false,
27 | "noImplicitThis": true,
28 | "alwaysStrict": true,
29 | "noUnusedLocals": true,
30 | "noUnusedParameters": true,
31 | "noImplicitReturns": true,
32 | "noFallthroughCasesInSwitch": true,
33 | "resolveJsonModule": true,
34 | "moduleResolution": "node",
35 | "jsx": "react",
36 | "esModuleInterop": true,
37 | "experimentalDecorators": true
38 | },
39 | "compileOnSave": false,
40 | "buildOnSave": false
41 | }
42 |
--------------------------------------------------------------------------------
/Common/msal-node-wrapper/typedoc.json:
--------------------------------------------------------------------------------
1 | {
2 | "entryPoints": [
3 | "src/index.ts",
4 | ],
5 | "out": "../../docs",
6 | "excludePrivate": true,
7 | "excludeProtected": true,
8 | "excludeExternals": true,
9 | "readme": "./README.md"
10 | }
11 |
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) Microsoft Corporation.
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE
22 |
--------------------------------------------------------------------------------