Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Azure Active Directory authentication for enterprise AD logins #266

Closed
sudheesh001 opened this issue Sep 22, 2016 · 2 comments
Closed
Labels
Milestone

Comments

@sudheesh001
Copy link
Contributor

@sudheesh001 sudheesh001 commented Sep 22, 2016

Feature request

The authentication for azure active directory should be fairly similar to the one in office 365 except that the modifications should be as follows.

// azuread.js
'use strict';

exports = module.exports = function (options) {
    options = options || {};
    const tenantId = options.tenant || 'common';

    return {
        protocol: 'oauth2',
        useParamsAuth: true,
        auth: 'https://login.microsoftonline.com/'+ tenantId +'/oauth2/authorize',
        token: 'https://login.microsoftonline.com/'+ tenantId +'/oauth2/token',
        scope: ['openid','offline_access', 'profile'],
        profile: function (credentials, params, get, reply) {

            get('https://login.microsoftonline.com/'+ tenantId +'/openid/userinfo', null, (profile) => {

                credentials.profile = {
                    id: profile.oid,
                    displayName: profile.name,
                    email: profile.upn,
                    raw: profile
                };
                return reply();
            });
        }
    };
};

and the example should look something like this

server.auth.strategy('azuread', 'bell', {
      provider: 'azuread',
      password: 'cookie_encryption_password_secure',
      clientId: 'bdXXXXXX-5XXX-4XXX-aXXX-6XXXXXXXX9',
      clientSecret: 'mjXXXXXXXXXXXXXEe+l3XXXXXXXXXXXXkh8=',
      tenantId: 'XXXXXX-YYYYYY-XXXXXXXXXX-YYYYYYYYYY-ZZZZZZZ',
      providerParams: {
        response_type: 'code'
      },
      scope: ['openid', 'offline_access', 'profile'],
      isSecure: false
    });

When I try to fix this and use it I receive an error as follows

FATAL CLI ERROR TypeError: Cannot read property 'call' of undefined

I would love to make the patch for this if someone could help me through in patching this.

I've currently put the code I put up above into office365.js and have been successfully able to obtain a successful authentication response as follows for the credentials.profile object

{ 
  id: '5XXXXXX-8XXX-4XXX-bXXX-aXXXXXXXX',
  displayName: 'Sudheesh Singanamalla',
  email: 'susingan@microsoft.com',
  raw:
   { amr: '["rsa","mfa"]',
     family_name: 'Singanamalla',
     given_name: 'Sudheesh',
     in_corp: 'true',
     ipaddr: 'AAA.AAA.AAA.AAA',
     name: 'Sudheesh Singanamalla',
     oid: '5XXXXXX-8XXX-4XXX-bXXX-aXXXXXXXX',
     onprem_sid: 'SXXXXXXXX77XXXXXXXXXXXXXXXXXXX7-2XXXX3',
     sub: 'gJXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXB4',
     tid: '7XXXXXXX-8XXX-4XXX-9XXX-2XXXXXXXXXX',
     unique_name: 'susingan@microsoft.com',
     upn: 'susingan@microsoft.com',
     ver: '1.0' 
   } 
}
@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Sep 22, 2016

Ok, so looks like Microsoft is trying to standardize their endpoints here with the tenant stuff. I wonder if live has switched to using this type as well. Very confusing to somebody not in their ecosystem.

I wonder why the office365 provider is using outlook.office.com for the profile information. Must have some different type of information or they must not have these new endpoints at the time.

Looks like we should have a Microsoft Online provider much like you implemented it. Do you have any insights on what I said above?

We would greatly welcome a PR. BTW, in the meantime you can always make your own custom provider, it does not have to be part of this library. What specifically do you need help with? I am not so sure what your error refers to, without looking at your code. You can fork this repository with github and then commit your code there. I can take a look then.

@ldesplat ldesplat added this to the 9.0.0 milestone Sep 22, 2016
sudheesh001 added a commit to sudheesh001/bell that referenced this issue Sep 23, 2016
…dule

Signed off by: Sudheesh Singanamalla <susingan@microsoft.com>
@sudheesh001

This comment has been minimized.

Copy link
Contributor Author

@sudheesh001 sudheesh001 commented Sep 23, 2016

From a look at their documentation it looks like they're using Azure AD itself for office365 except that in place of a tenant ID it'd become common taking them to the public office 365.

I am not really sure who I can reach out in the office 365 team but i can surely send out a mail and loop them in on this but from the looks of it, it's just a modified version of the azure-ad just a little less complex i.e. doesn't need a tenant ID.

I've sent out the pull request for the azuread module, i'd love some help in enhancing it and writing tests for the same.

sudheesh001 added a commit to sudheesh001/bell that referenced this issue Sep 27, 2016
…dule

Signed off by: Sudheesh Singanamalla <susingan@microsoft.com>
@ldesplat ldesplat closed this in 9e61294 Oct 4, 2016
ldesplat added a commit that referenced this issue Oct 4, 2016
Fixes #266 Implements azure active directory as bell azuread module
@hueniverse hueniverse modified the milestones: 8.4.0, 9.0.0 Dec 1, 2016
@Marsup Marsup removed the request label Sep 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.