Current configuration:
identityMetadata:
"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
clientID: secretsService.get("microsoft", "clientid"),
loggingLevel: "error",
allowMultiAudiencesInToken: true,
validateIssuer: false,
tenantIdOrName: secretsService.get("microsoft", "tenantid"),
passReqToCallback: true,
clientSecret: secretsService.get("microsoft", "secret"),
responseType: "code",
responseMode: "query",
redirectUrl: "https://localhost:3000/auth/microsoft/redirect",
session: false,
useCookieInsteadOfSession: true,
cookieEncryptionKeys: [
{
key: secretsService.get("app", "encryptionkey"),
iv: secretsService.get("app", "iv"),
},
],
Temporary keys for testing that I made up:
"app": {
"encryptionkey": "214125442A472D4B6150645267556B58",
"iv": "kXp2s52534v8"
}
and my cookie-parser middleware:
cookieParser()).forRoutes("*")
I've also tried passing the key to the cookie parser as the secret but I'm pretty sure that's not the intended use.
The redirect never happens after login but on the node console I can see default values for the token, such as:
oid: undefined,
upn: undefined,
displayName: undefined,
name: {
familyName: undefined,
givenName: undefined,
middleName: undefined
},
Now I feel like i'm clearly missing something on how you're supposed to configure those cookie encryption keys and generate them or it is simply a bit backwards.
- Do I have to generate the key myself using the same passphrase as the cookie-parser middleware is using and provide it there?
- I see passport-azure-ad is using a specific AES algorithm that wants 32 bit keys with 12 bit iv, don't I need to also somehow enforce this with cookie-parser so that they match?
- What about the iv, doesn't that need to change often? Do I now have to manage this whole infrastructure just to get this working for the cookie flow?
