Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access token authentication #863

Merged
merged 1 commit into from
Mar 16, 2019
Merged

Access token authentication #863

merged 1 commit into from
Mar 16, 2019

Conversation

Hadis-Knj
Copy link

@Hadis-Knj Hadis-Knj commented Feb 8, 2019
edited by arthurschreiber

Fixes #745.

@arthurschreiber
Copy link
Collaborator

arthurschreiber commented Feb 9, 2019
edited

@Hadis-Fard for CI, can you generate an access token that has no expiration date? 🤔If that's possible, we can add another build steps similar to the existing Azure steps by specifying the token via an environment variable.

@arthurschreiber arthurschreiber changed the title feat: access token authentcation feat: access token authentication Feb 9, 2019
@arthurschreiber arthurschreiber changed the title feat: access token authentication Access token authentication Feb 10, 2019
@Hadis-Knj
Copy link
Author

@arthurschreiber sure thing! 😃

@lenisha
Copy link

lenisha commented Mar 15, 2019

Hi guys, release please???

@arthurschreiber
feat: azure active directory access token authentication
28aa637 
This adds a new authentication type called `azure-active-directory-access-token` which allows authenticating against a Azure SQL Database via a previously generated authentication token (e.g. via the `node-adal` library).

Example configuration:

```json
{
  "server": "some.database.windows.net",
  "authentication": {
    "type": "azure-active-directory-access-token",
    "options": {
      "token": {
        "accessToken": "...token..."
      }
    }
  }
}
```
@arthurschreiber arthurschreiber merged commit 88d9d80 into tediousjs:master Mar 16, 2019
@arthurschreiber
Copy link
Collaborator

🎉 This PR is included in version 6.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@Praveenpvs
Copy link

Hi Team,
I am trying to connect to Azure SQL DB with token based auth (azure-active-directory-access-token). Getting the error "Security token could not be authenticated or authorized". With the same generated token, I am able to execute queries through .Net Client. So, there is no issue with the token or the database user account mapped to Azure AD app.

Below is my connection config. Is there anything that I am missing or due to a bug?
Using the latest library (6.1.0)

var tokenConfig = {
    server: "my server xxx",
    authentication: {
        type:"azure-active-directory-access-token",
        options: {            
            token:"eyJaxxxx..."
        }
    },
    options:
    {
        database: 'demodb1'        
    }
}

One question related Connection.Js file (Line#2052 or near in the call: context.acquireTokenWithUsernamePassword(..),

  1. clientId is hard coded
  2. 'azure-active-directory-password' and 'azure-active-directory-access-token' are same? Even if we use 'azure-active-directory-access-token', in the above acquireTokenWithUsernamePassword, parameters like userName, Password are being passed.

Can you please share your inputs on this?

Thanks, Praveen

@arthurschreiber
Copy link
Collaborator

Hey @Praveenpvs

Sorry for the trouble. I think the issue you’re running into is the bug described and fixed in #888.

A new release containing the fix will be pushed into the ‘next’ release channel shortly.

@Praveenpvs
Copy link

Hi Arthur!
Just looked into the commit #888. I believe the fix is not complete.

  1. In the case of SENT_LOGIN7_WITH_FEDAUTH, there is a call to acquireTokenWithUsernamePassword which I see as incorrect, because there wont be any user Id or password to be passed. All we have is a token.
    Reference Link:

    tedious/src/connection.js

    Line 1980 in 776f4a1

    SENT_LOGIN7_WITH_FEDAUTH: {

So, can you please check again?

Thanks, Praveen

@MichaelSun90
Copy link
Contributor

Hi @Praveenpvs
This state will not be triggered if you are using "azure-active-directory-access-token" as authentication.type. If you are using "azure-active-directory-password", then the logic will go here, then you will need to provide the username and password.

@Praveenpvs
Copy link

Correct, thanks Micheal. Its working fine for me now.
Appreciate the quick fix!

@MichaelSun90
Copy link
Contributor

No problem, glad to help.

@kandasj
Copy link

kandasj commented Nov 21, 2019
edited

Hi there
I'm getting the following error
message: 'Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.',
code: 'ELOGIN' }
my debug message looks like this
debug: connected to sqlserver-datateam-datawarehouse-prod.database.windows.net:1433 debug: State change: Connecting -> SentPrelogin debug: State change: SentPrelogin -> SentTLSSSLNegotiation debug: TLS negotiated (ECDHE-RSA-AES256-GCM-SHA384, TLSv1/SSLv3) debug: State change: SentTLSSSLNegotiation -> SentLogin7WithStandardLogin { ConnectionError: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. at ConnectionError (/Users/kandasj/development/CRISP-graphql/node_modules/tedious/lib/errors.js:13:12) at Parser.tokenStreamParser.on.token (/Users/kandasj/development/CRISP-graphql/node_modules/tedious/lib/connection.js:818:51) at Parser.emit (events.js:198:13) at Parser.parser.on.token (/Users/kandasj/development/CRISP-graphql/node_modules/tedious/lib/token/token-stream-parser.js:33:14) at Parser.emit (events.js:198:13) at addChunk (/Users/kandasj/development/CRISP-graphql/node_modules/readable-stream/lib/_stream_readable.js:297:12) at readableAddChunk (/Users/kandasj/development/CRISP-graphql/node_modules/readable-stream/lib/_stream_readable.js:279:11) at Parser.Readable.push (/Users/kandasj/development/CRISP-graphql/node_modules/readable-stream/lib/_stream_readable.js:240:10) at Parser.Transform.push (/Users/kandasj/development/CRISP-graphql/node_modules/readable-stream/lib/_stream_transform.js:139:32) at doneParsing (/Users/kandasj/development/CRISP-graphql/node_modules/tedious/lib/token/stream-parser.js:114:14) message: 'Login failed for user \'NT AUTHORITY\\ANONYMOUS LOGON\'.', code: 'ELOGIN' } debug: State change: SentLogin7WithStandardLogin -> Final debug: connection to sqlserver-datateam-datawarehouse-prod.database.windows.net:1433 closed debug: State is already Final

this is my actual code
`

const axios = require('axios');
const qs = require('qs');

axios.defaults.headers.post['Content-Type'] =
  'application/x-www-form-urlencoded';

// let token = '';
var Connection = require('tedious').Connection;
var Request = require('tedious').Request;

async function getToken(name) {
  try{
    let response = await axios.post(TOKEN_ENDPOINT, qs.stringify(postData));
    return await response.data;
  }catch(err){
    console.error(err);
  }
}

(async() => {
  let token = await getToken()
  console.log(token)
  var config1 = {
    server: "xxxxx.database.windows.net",
      authentication: {
          type:"azure-active-directory-access-token",
          options: {            
            token:token.access_token
          }
      },
      options:
      {
          encrypt: true,
          database: 'loading'        
      }
  };
  var connection = new Connection(config1);
  connection.on('debug', function(message) { 
    console.log('debug:', message);
  });
  connection.on('connect', function(err) {
    if (err) {
      console.error(err);
    } else {
      console.log('efewf')
    } 
  });

})();

`

could anybody help?

@MichaelSun90
Copy link
Contributor

Hi @kandasj, I am not sure whether the response to your axios response has the same as mine. If you have the same response structure with mine what you can do is change the line "token:token.access_token" to "token:token.accessToken". Hope this helps.

The response on my side is an object like this:
{
_authority:
_clientId:
accessToken:
expiresIn:
expiresOn:
isMRRT:
isUserIdDisplayable:
oid:
refreshToken:
resource:
tenantId:
tokenType:
userId:
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arthurschreiber arthurschreiber arthurschreiber approved these changes

@MichaelSun90 MichaelSun90 MichaelSun90 approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for AccessToken?
6 participants
@Hadis-Knj @arthurschreiber @lenisha @Praveenpvs @MichaelSun90 @kandasj