Node JS auth request validation

[jennyf19]

Node JS validation replacement for passport.js

Dear Node JS customers,

We understand that many of you have been frustrated by the lack of a replacement for this deprecated passport.js library. We want you to know that we hear your concerns and are actively working on a solution. In the meantime, we want to assure you that we haven't forgotten about you. Auth validation is very complicated and hard to get right. For this reason, we will leverage Microsoft.IdentityModel, which has a proven track record over many years, and is hitting impressive perf metrics with the latest improvements in IdentityModel 7x on .NET 8, making Ahead of Time (AOT) comparable with non-AOT, especially in terms of request per second, which is very promising for our goal of covering all services, regardless of language with Microsoft.IdentityModel.

We are experimenting with a simple wrapper over a shared library in Node JS that will allow you to continue using the Microsoft identity platforms. This wrapper is currently only available to internal Microsoft services, but we're working hard to make it available to all of our customers as soon as possible. Thank you for your patience and understanding as we work to improve our offerings. We'll keep you updated as we make progress on this front. Please provide us with your feedback/questions/concerns as we go through this process together.

[mdodge-ecgrow]

Thank you for the update.
So just to clarify, at this time we should continue to use the Microsoft Azure Active Directory Passport.js Plug-In until this new Identity Model wrapper is finished?

[jennyf19]

The passport.js plug-in was deprecated before a replacement was created. It is no longer maintained and not receiving security updates/fixes.
We will post here any updates on the wrapper and as soon as we have something you can try, we will definitely let you know.

[CrazyBaran]

@jennyf19 3 weeks pass and still nothing about @azure/node-token-validation? Is it not even possible to share some under development package?

[CrazyBaran]

@jennyf19 Something new in topic of replacement?

[anthonyhoegberg]

Any news here?

[renanbatel]

Never would expect from MS to deprecated a library before creating a replacement, unbelievable

[lucassith]

Really? In my development team, everyone agrees that Microsoft is the first element to fail. Whether it's source code, the cloud, or tools, it's always in the microsoft realm where something fails.

[mccolljr]

Has there been any progress on this front?

[mccolljr]

Also - although this will be like talking to a brick wall, you said:

Please provide us with your feedback/questions/concerns as we go through this process together

The fact that there have been 6 months of dead air in this discussion indicates that we are not in any way "going through this process together".

[lucassith]

Of course not, they deprectated passport.js extensions simply because they don't want to maintain it anymore and they don't care.

Pure Microsoft's thinking.

[ethanherbertson]

Does anyone have a link to an explanation of why this package was deprecated? Like, are there known vulnerabilities? Or is it just deprecated because it's abandonware and it therefore should not be trusted?

[ethanherbertson]

It seems like a very bad break from best practices to "deprecate" a node module without actually deprecating it in npm, especially when it's still being downloaded ~150k a week.

[ethanherbertson]

Probably also should be deprecated or removed from the PassportJS website's list of strategies, too.

[ethanherbertson]

It is especially bad in this case, because it's not even clear (to outsiders, at least) what the canonical repository even is for pasport-azure-ad at this point.

NPM & package.json both reference AzureAD/microsoft-authentication-library-for-js as the repo, but that project does not contain the source code on its default branch—and the branches I've found that do contain the source code there do not contain the README "deprecation notice".

Finding AzureAD/passport-azure-ad—which is what I currently assume to be canonical—is not exactly difficult via Google or GitHub searches, but without the direct links that are most trusted by the users I don't know how many people would actually do so.

Meanwhile, this discussion thread, linked to by the notice, is in a third repository. As an outsider I don't understand how this repository even relates to the other two, except that presumably it is (was?) a handy high-traffic project by the same group of developers, that they were assuming would be the place where they would eventually release the replacement.

[ethanherbertson]

If MS doesn't want to support the module, @jennyf19, would they be willing to hand over control to the community that's still relying on it? Without a public timeline or at least limited support for security updates, the only responsible thing for the userbase to do is to abandon the use of the module, and pivot to either a different language or a different identity platform altogether... but at the moment they're not even being informed of the deprecation in the first place.

Meanwhile, are there any other devs/contributors who could answer some of these questions? I don't really want to just randomly @ people but I feel somewhat duty-bound to do something in the name of all those many thousands of downloaders who have not and will not notice that they're using an unsupported & "deprecated" security module. This isn't how you OSS.

[ethanherbertson]

Occurred to me that this particular concern is perhaps better addressed via an issue, so I filed one. (#2847)

[mccolljr]

@jennyf19 are you or anyone else able to speak to progress that has been made?

[RomanKonopelkoVoypost]

@jennyf19 Randomly seeing the npm package of passport-azure-ad as deprecated killed me. I see that this message hangs for one year almost. So, is there any updates? And what is the current solution for the developers that has been using passport-azure-ad until getting surprised by npm deprecate warning?