TechQA.

Multiple Issuers for common-endpoint

138 views Asked by At

According to the passport-azure-ad documentation, I should be able to specify a list of issuers as a string array.

However, I'm having trouble getting the second example below to work.

The first example works fine:

Example 1 - Works with a token issued by <TENANT_1_GUID>

{
  identityMetadata: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
  issuer: [
    'https://login.microsoftonline.com/<TENANT_1_GUID>/v2.0'
  ],
  clientID: '<APP_GUID>',
  validateIssuer: true,
}

Example 2 - Does not work with a token issued by <TENANT_1_GUID> or <TENANT_2_GUID>

But my problem is that that the token is not successfully validated when a list of acceptable issuers is provided:-

{
  identityMetadata: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
  issuer: [
    'https://login.microsoftonline.com/<TENANT_1_GUID>/v2.0',
    'https://login.microsoftonline.com/<TENTANT_2_GUID>/v2.0'
  ],
  clientID: '<APP_GUID>',
  validateIssuer: true,
}

Is this not the correct way to validate a token that could have come between one of two tenants?

Thanks!

passport-azure-ad
Original Q&A
1

There are 1 answers

0
Glen226 On

I've come up with something that works... created a middlewear with the passport in it:-

const jwt = require('jsonwebtoken');
const passport = require('passport');
const BearerStrategy = require('passport-azure-ad').BearerStrategy;

module.exports = (req, res, next) => {
  try {
    const token = req.headers.authorization.split(" ")[1];
    decodedToken = jwt.decode(token);

    let issuer;
    const iss_company1 = "https://login.microsoftonline.com/<TENANT_1_GUID>/v2.0";
    const iss_company2 = "https://login.microsoftonline.com/<TENANT_2_GUID>/v2.0";

    switch (decodedToken.iss) {
      case iss_company1:
          issuer = iss_company1;
          break;
      case iss_company2:
          issuer = iss_company2;
          break;
      default:
          issuer = iss_company1;
    }

    let passportOptions = {
      identityMetadata: process.env.passport_identityMetadata,
      issuer,
      clientID: process.env.passport_clientID,
      passReqToCallback: process.env.passport_passReqToCallback,
      loggingLevel: "error",
      loggingNoPII: true
    };

    let bearerStrategy = new BearerStrategy(passportOptions,
      function(token, done) {
        return done(null, token);
      }
    );

    passport.use(bearerStrategy);

    passport.authenticate('oauth-bearer', { session: false })(req, res, next);

  } catch (error) {
    res.status(401).json({ message: "Unauthorized" });
  }

};

Related Questions in PASSPORT-AZURE-AD

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions