This sample demonstrates an MSAL Node confidential client application that lets users authenticate against Microsoft Entra ID.
This sample requires a certificate. A set of example certificate (public and private key) is placed in the certs folder. You can use them for testing but we recommend you generate your own certificate. Certificate generation and related topics are discussed in Using Certificates with MSAL Node.
Locate the folder where package.json
resides in your terminal. Then type:
npm install
- Navigate to the Microsoft Entra admin center and select the Microsoft Entra ID service.
- Select the App Registrations blade on the left, then select New registration.
- In the Register an application page that appears, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
ms-identity-nodejs-webapp
. - Under Supported account types, select Accounts in this organizational directory only.
- In the Redirect URI (optional) section, select Web in the combo-box and enter the following redirect URI:
https://localhost:3000/redirect
.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
- Select Register to create the application.
- In the app's registration screen, find and note the Application (client) ID and Directory (Tenant) ID. You use these values in your app's configuration file(s) later.
- In the app's registration screen, select the Certificates & secrets blade in the left.
- Click on Upload certificate and select the certificate file to upload.
- Click Add. Once the certificate is uploaded, the thumbprint, start date, and expiration values are displayed.
Secrets should never be hardcoded. The dotenv npm package can be used to store secrets or certificates in a .env file (located in project's root directory) that should be included in .gitignore to prevent accidental uploads of the secrets.
Certificates can also be read-in from files via NodeJS's fs module. However, they should never be stored in the project's directory. Production apps should fetch certificates from Azure KeyVault, or other secure key vaults.
Please see certificates and secrets for more information.
Before running the sample, you will need to replace the values in the configuration object:
import "dotenv/config"; // process.env now has the values defined in a .env file
const config = {
auth: {
clientId: "ENTER_CLIENT_ID",
authority: "https://login.microsoftonline.com/ENTER_TENANT_ID",
clientCertificate: {
thumbprint: process.env.clientCertificate,
privateKey: process.env.privateKey,
}
}
};
In the same folder, type:
npm start
The server should start at port 3000. Navigate to https://localhost:3000
in your browser, which will trigger the token acquisition process.