Azure Active Directory OIDC Web Sample
This sample demonstrates how to set up OpenId Connect authentication in a web application built using Node.js with Express. The sample is designed to run on any platform.
To run this sample you will need the following:
Install Node.js from http://nodejs.org/
An Azure AD tenant. If you're not sure what a tenant is or how you would get one, read How to get an Azure AD tenant.
Register the sample in your Azure AD tenant
Sign in to the Azure portal.
On the top bar, click on your account, and then on Switch Directory. Once the Directory + subscription pane opens, choose the Active Directory tenant where you wish to register your application.
Click on All services in the left-hand nav, and choose Azure Active Directory.
Click on App registrations and choose New application registration.
Enter a friendly name for the application, for example 'Webapp-Openidconnect' and select 'Web app / API' as the Application Type.
For the sign-on URL, enter the base URL for this sample which is
Click Create to create the application.
In the succeeding page, Find the Application ID value and record it for later. You'll need it to configure the client ID in the application.
Under Settings, choose Properties and update the App ID URI which is a unique identifier for your app. It is of the format 'https://<your_tenant_name>/<app_name>' replacing
<your_tenant_name>with the name of your Azure AD tenant. For example:
Under Settings, click on Reply URLs and set it to
http://localhost:3000/auth/openid/returnwhich this sample uses by default.
From the Settings menu, choose Keys and add a new entry in the Password section:
- Type a key description (for instance 'app secret'),
- Select a key duration of either In 1 year, In 2 years, or Never Expires.
- When you save this page, the key value will be displayed. Copy, and save the value in a safe location.
- You'll need this key later to configure the client secret in the app. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.
Download the sample application and modules
Next, clone the sample repo and install the NPM modules.
From your shell or command line run:
$ git clone email@example.com:AzureADQuickStarts/WebApp-OpenIDConnect-NodeJS.git
$ git clone https://github.com/AzureADQuickStarts/WebApp-OpenIDConnect-NodeJS.git
From the project root directory, run the command:
$ npm install
Configure the application
Provide the parameters in
exports.creds in config.js as instructed.
exports.identityMetadatawith the Azure AD tenant name of the format *.onmicrosoft.com.
exports.clientIDwith the Application Id noted from app registration.
exports.clientSecretwith the Application key noted from app registration.
exports.redirectUrlwith the Reply URL noted from app registration.
Optional configuration for production apps:
exports.destroySessionUrlin config.js, if you want to use a different
exports.useMongoDBSessionStorein config.js to true, if you want to use use mongoDB or other compatible session stores. The default session store in this sample is
express-session. Note that the default session store is not suitable for production.
exports.databaseUri, if you want to use mongoDB session store and a different database URI.
exports.mongoDBSessionMaxAge. Here you can specify how long you want to keep a session in mongoDB. The unit is second(s).
Build and run the application
Start mongoDB service. If you are using mongoDB session store in this app, you have to install mongoDB and start the service first. If you are using the default session store, you can skip this step.
Run the app using the following command from your command line.
$ node app.js
Is the server output hard to understand?: We use
bunyan for logging in this sample. The console won't make much sense to you unless you also install bunyan and run the server like above but pipe it through the bunyan binary:
$ npm install -g bunyan $ node app.js | bunyan
You will have a server successfully running on
Community Help and Support
We use Stack Overflow with the community to provide support. We highly recommend you ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-active-directory].
If you find a bug or issue with this sample, please raise the issue on GitHub Issues.
For issues with the passport-azure-ad library, please raise the issue on the library GitHub repo.
If you'd like to contribute to this sample, please follow the GitHub Fork and Pull request model.
This library controls how users sign-in and access services. We recommend you always take the latest version of our library in your app when possible.
If you find a security issue with our libraries or services please report it to firstname.lastname@example.org with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
We would like to acknowledge the folks who own/contribute to the following projects for their support of Azure Active Directory and their libraries that were used to build this sample. In places where we forked these libraries to add additional functionality, we ensured that the chain of forking remains intact so you can navigate back to the original package. Working with such great partners in the open source community clearly illustrates what open collaboration can accomplish. Thank you!
About The Code
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License (the "License");