azureadquickstarts / b2c-webapp-openidconnect-nodejs Goto Github PK

I had to put add tenantName: config.creds.tenantName to the setup of the OIDCstrategy in app.js to make it working.

passport.use(new OIDCStrategy({ callbackURL: config.creds.returnURL, realm: config.creds.realm, clientID: config.creds.clientID, clientSecret: config.creds.clientSecret, oidcIssuer: config.creds.issuer, identityMetadata: config.creds.identityMetadata, skipUserProfile: config.creds.skipUserProfile, responseType: config.creds.responseType, responseMode: config.creds.responseMode, tenantName: config.creds.tenantName }, ....

Also it might be useful to add the Info to your README, that you may to customize the SignIn and SignUp policy names (in index.ejs) to your B2C policy names.

Hi,
I have correctly configurated the project and the demo app works.

I've only one strange behaviour when I use Update Profile feature. I tryed to update the DisplayName field and saved the changes. Then the redirect returned to my app page, but the information about user wasn't updated (I have checked inside the Azure Dashboard and instead the information was correctly updated).

• I tryed to logout and re-login with the same user, but nothing, the problem persisted.
• I tryed to re-login the same user in an other browser in incognito mode, but nothing, the problem persisted.
• The last test was to restart nodejs server and magically, after login, the information was updated.

I have just tryed to change exports.useMongoDBSessionStore with both true and false values but the problem remains. Only restarting server is the solution.

Can anyone help me?

Best,
Alberto

I'm trying to get B2C working on my web app that has been deployed ( at least I think) to App service. The website itself is not accessible ( https://b2ctestingwebapp.azurewebsites.net ) although the portal said it deployed correctly.

I use bitbucket to deploy. Web app errors:

I had tested it locally successfully. But B2C upon deployment does not work. My redirect URLs are:

And finally, the B2C tenant app registration:

I'd highly appreciate some insight.

Hi,
when I try to login I receive a undefined user information and a generic error “Not supported currently. Use oid claim”.
This is the data of profile:

{ id: 'Not supported currently. Use oid claim.',
  displayName: undefined,
  name: 
   { familyName: undefined,
     givenName: undefined,
     middleName: undefined },
  email: undefined,
  _raw: '{"exp":1444149494,"nbf":1444145894,"ver":"1.0","iss":"https://login.microsoftonline.com/37ccb809-e43a-4f37-8755-a949fab6c277/v2.0/","acr":"b2c_1_signinpolicytest","sub":"Not supported currently. Use oid claim.","aud":"437a8c5e-426f-43ec-a498-7a2feec02fd6","nonce":"aFxFGVhcBH8QgJmk","iat":1444145894,"auth_time":1444145894}',
  _json: 
   { exp: 1444149494,
     nbf: 1444145894,
     ver: '1.0',
     iss: 'https://login.microsoftonline.com/37ccb809-e43a-4f37-8755-a949fab6c277/v2.0/',
     acr: 'b2c_1_signinpolicytest',
     sub: 'Not supported currently. Use oid claim.',
     aud: '437a8c5e-426f-43ec-a498-7a2feec02fd6',
     nonce: 'aFxFGVhcBH8QgJmk',
     iat: 1444145894,
     auth_time: 1444145894 } }

I'm sure my configuration is correct, but I'm getting the "Cannot get AAD Federation metadata from endpoint you specified" error. In a browser, the specified endpoint works, but with the additional querystring parameters, it returns a 404.

For example, the specified endpoint is:

https://login.microsoftonline.com/<my tenant GUID>/v2.0/.well-known/openid-configuration

which returns the metadata, but with the additional querystring parameters, e.g.:

https://login.microsoftonline.com/<my tenant GUID>/v2.0/.well-known/openid-configuration?x-client-SKU=passport-azure-ad&x-client-Ver=3.0.8&p=b2c_1_signin

a 404 is returned.

PLEASE, PLEASE, PLEASE make sure your documentation and samples are up to date. It is hard enough to come to grips with AAD in general due to inconsistent terminology, a multitude of configuration options and pages in the portal.

I believe I've updated the config.js as directed, started the mongo instance and also run the app. However after the first page (showing the Sign In, Sign up, ... options), my sign up and sign in links give me:

"HTTP Error 400. The size of the request headers is too long."
( Btw i had to modify connect() to look like:
mongoose.connect(config.databaseUri,{ useMongoClient: true }) )
Is the HTTP error 400 anything to do with cookies? I have to clear cookies for the app to work.
I'm currently hosting the app on localhost:3000; the redirectUrl is 'http://localhost:3000/auth/openid/return'. This mirrors that set on the azure B2C tenant as well. This is my config file:

exports.creds = {
  // Required. It must be tenant-specific endpoint, common endpoint is not supported to use B2C
  // feature.
  identityMetadata: 'https://login.microsoftonline.com/cgib2cAD.onmicrosoft.com/v2.0/.well-known/openid-configuration', 
  // or equivalently: 'https://login.microsoftonline.com/<tenant_guid>/v2.0/.well-known/openid-configuration'

  // Required, the client ID of your app in AAD  
  clientID: '<>',

  // Required, must be 'code', 'code id_token', 'id_token code' or 'id_token' 
  // If you want to get access_token, you must be 'code', 'code id_token' or 'id_token code'
  responseType: 'code id_token', 

  // Required
  responseMode: 'form_post', 

  // Required, the reply URL registered in AAD for your app
  redirectUrl: 'http://localhost:3000/auth/openid/return', 

  // Required if we use http for redirectUrl
  allowHttpForRedirectUrl: true,
  
  // Required if `responseType` is 'code', 'id_token code' or 'code id_token'. 
  // If app key contains '\', replace it with '\\'.
  clientSecret: '<>', 

  // Required, must be true for B2C
  isB2C: true,

  // Required to set to false if you don't want to validate issuer
  validateIssuer: true,

  // Required if you want to provide the issuer(s) you want to validate instead of using the issuer from metadata
  issuer: null,

  // Required to set to true if the `verify` function has 'req' as the first parameter
  passReqToCallback: false,

  // Recommended to set to true. By default we save state in express session, if this option is set to true, then
  // we encrypt state and save it in cookie instead. This option together with { session: false } allows your app
  // to be completely express session free.
  useCookieInsteadOfSession: true,

  // Required if `useCookieInsteadOfSession` is set to true. You can provide multiple set of key/iv pairs for key
  // rollover purpose. We always use the first set of key/iv pair to encrypt cookie, but we will try every set of
  // key/iv pair to decrypt cookie. Key can be any string of length 32, and iv can be any string of length 12.
  cookieEncryptionKeys: [ 
    { 'key': '12345678901234567890123456789012', 'iv': '123456789012' },
    { 'key': 'abcdefghijklmnopqrstuvwxyzabcdef', 'iv': 'abcdefghijkl' }
  ],

  // Optional. The additional scope you want besides 'openid'
  // (1) if you want refresh_token, use 'offline_access'
  // (2) if you want access_token, use the clientID
  scope: ['offline_access'],

  // Optional, 'error', 'warn' or 'info'
  loggingLevel: 'info',

  // Optional. The lifetime of nonce in session or cookie, the default value is 3600 (seconds).
  nonceLifetime: null,

  // Optional. The max amount of nonce saved in session or cookie, the default value is 10.
  nonceMaxAmount: 5,

  // Optional. The clock skew allowed in token validation, the default value is 300 seconds.
  clockSkew: null,
};

// The url you need to go to destroy the session with AAD, 
// replace <tenant_name> with your tenant name, and
// replace <signin_policy_name> with your signin policy name.
exports.destroySessionUrl = 
  'https://login.microsoftonline.com/cgib2cAD.onmicrosoft.com/oauth2/v2.0/logout' +
  '?p=B2C_1_customUITrial' +
  '&post_logout_redirect_uri=http://localhost:3000';

// If you want to use the mongoDB session store for session middleware; otherwise we will use the default
// session store provided by express-session.
// Note that the default session store is designed for development purpose only.
exports.useMongoDBSessionStore = true;

// If you want to use mongoDB, provide the uri here for the database.
exports.databaseUri = 'mongodb://localhost/OIDCStrategy';

// How long you want to keep session in mongoDB.
exports.mongoDBSessionMaxAge = 24 * 60 * 60;  // 1 day (unit is second)

How may I solve the problem? Obviously, if the consumer is forced to clear cookies to use the app, that would be a problem. Would this be resolved with a custom domain? Any insight would be highly appreciated.

I'm having problems when i use passport-azure-ad package. Partticullary, the output of app.js says this:

{"name":"AzureAD: OIDC Passport Strategy","hostname":"Llorenç-PC","pid":14872,"level":40,"msg":"We are not validating the issuer. This is fine if you are expecting multiple organizations to connect to your app. Otherwise you should validate the issuer.","time":"2016-05-24T10:06:43.738Z","v":0}

How can I validate the issuer?

Other quation:

How can get id_token for obtain the user claims?

@gsacavdm @brandwe @lovemaths i config two application with b2c under same client.

applications

1. asp.net core using cookies auth
2. node.js using OIDCStrategy

and updated node.js app with CORS

now i want to ajax call to my node.js endpoint from my asp.net core app like this

var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://localhost:3000/account', true); xhr.withCredentials = true; xhr.send(null);

how can i config my

passport.use(new OIDCStrategy({ identityMetadata: config.creds.identityMetadata, clientID: config.creds.clientID, responseType: config.creds.responseType, responseMode: config.creds.responseMode, redirectUrl: config.creds.redirectUrl, allowHttpForRedirectUrl: config.creds.allowHttpForRedirectUrl, clientSecret: config.creds.clientSecret, validateIssuer: config.creds.validateIssuer, isB2C: config.creds.isB2C, issuer: config.creds.issuer, passReqToCallback: config.creds.passReqToCallback, scope: config.creds.scope, loggingLevel: config.creds.loggingLevel, nonceLifetime: config.creds.nonceLifetime, nonceMaxAmount: config.creds.nonceMaxAmount, useCookieInsteadOfSession: config.creds.useCookieInsteadOfSession, cookieEncryptionKeys: config.creds.cookieEncryptionKeys, clockSkew: config.creds.clockSkew, },

so then the auth will picked up by node.js app

I got this error while trying to authenticate a user against B2C:
authentication failed due to: In collectInfoFromReq: policy is missing

I have created my policy in B2C but I have no idea how and where I should specify it.