New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Azure AD authentication #53
Comments
@kamilmysliwiec looks like because of this block and they way NestJS Passport wrapper works passport-azure-ad cannot populate proper arguments to the "verify" (aka "validate") method. Because "arity" or number of verify function arguments will be calculated as 0 :( in here: https://github.com/AzureAD/passport-azure-ad/blob/96c7a193737f03a270b4eb0d99ce2d59256da9a9/lib/oidcstrategy.js#L109 import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { OIDCStrategy } from 'passport-azure-ad';
import { configService } from '../config/config.service';
import { ProfileProvider } from '../user/user.types';
import { AuthService } from './auth.service';
@Injectable()
export class AzureAdStrategy extends PassportStrategy(
OIDCStrategy,
'azure-ad',
) {
constructor(private readonly authService: AuthService) {
super(configService.getAzureAdConfig());
}
async validate(iss, sub, profile, accessToken, refreshToken, done: Function) {
try {
const jwt: string = await this.authService.handleOAuthLogin(
accessToken,
refreshToken,
profile.id,
ProfileProvider.AZURE_AD,
);
done(null, {
jwt,
});
} catch (err) {
console.log('Azure AD Strategy failure', err);
done(err, false);
}
}
} Using above class first argument is either request (if passReqToCallback: true) or profile object and last argument is "done" function. Not "profile" nor "request" contain the accessToken or refreshToken 🤔 Is it possible to work-around this somehow? Like directly registering Azure-AD with passport as a quick fix for now? |
@aramalipoor In case you're still stuck around this, I'm following a solution where you can hack a custom callback function based on this issue: |
Thanks @llhupp, I ended up directly providing the callback function instead of using NestJs strategy: import passport from 'passport';
import { Injectable, OnModuleInit } from '@nestjs/common';
import { OIDCStrategy } from 'passport-azure-ad';
import { configService } from '../config/config.service';
import { ProfileProvider } from '../user/user.types';
import { AuthService } from './auth.service';
@Injectable()
export class AzureadStrategy extends OIDCStrategy implements OnModuleInit {
onModuleInit() {
passport.use('azuread', this);
}
constructor(private readonly authService: AuthService) {
super(
configService.getAzureadConfig(),
(iss, sub, profile, accessToken, refreshToken, done) => {
try {
return this.authService
.handleOAuthLogin(
accessToken,
refreshToken,
profile.oid,
ProfileProvider.AZUREAD,
)
.then(jwt => {
done(null, {
jwt,
});
})
.catch(err => {
console.log('Azure AD Strategy failure 1', err);
done(err, false);
});
} catch (err) {
console.log('Azure AD Strategy failure 2', err);
done(err, false);
return err;
}
},
);
}
} |
FYI, I made a proposal to passport-azure-ad to explicitly set the verify callback signature. With that PR, setting @Injectable()
export class AzureAdStrategy extends PassportStrategy(OIDCStrategy) {
constructor (private readonly moduleRef: ModuleRef) {
super({
...
passReqToCallback: true,
verifyArity: 8,
})
}
async validate (
request, iss, sub, profile, jwtClaims, access_token, refresh_token, params
): Promise<RequestUser | null> {
...
}
} |
I'm submitting a...
Current behavior
Expected behavior
Validate jwt token using Azure AD.
Minimal reproduction of the problem with instructions
What is the motivation / use case for changing the behavior?
Environment
The text was updated successfully, but these errors were encountered: