9

We're moving an app from "Sign-In with Google" to "Sign-In with Microsoft". It is an SPA, but queries an API for data. The client-side is all working using MSAL v2 (msal-browser.min.js), and we can sign in and out just fine.

When we send requests to the server, we send the JWT ID token. The server is a NodeJS API.

I can't see any Microsoft server-side Node library that has a 'verify' method we can use to validate the ID token from the client.

We've been looking at @azure/msal-node and @azure/msal-common, but can't see anything that we can feed the ID token to, to verify that the token is valid, and that the user is logged in.

We want to return 'unauthorised' from the API if the user is not logged in.

With Google, this was easy, we used google-auth-library like this:

const client = new OAuth2Client(googleClientId)
const ticket = await client.verifyIdToken({ idToken: googleIdToken, audience: googleClientId })
const payload = ticket.getPayload() // jwt payload

I hope the Microsoft equivalent is just hard to find, or it's not and I'm just being silly in not finding it.

Is there a Node library that provides a way to verify an MSAL ID token, which confirms the token is valid and that the user is signed in...?

Stephen Last
  • 5,491
  • 9
  • 44
  • 85

3 Answers3

7

MSAL Node is for acquiring tokens so clients can access protected resources, not for validating tokens in your API. I don't think Microsoft currently provides any Node libraries for validating tokens, but you can use jsonwebtoken instead.

There is a code sample in the MSAL Node library that shows how to validate certain claims in tokens.

If you are curious what the steps to validate an Azure AD JWT are in more detail, I wrote an article that walks through the various steps. The code sample is written in Java, but all of the steps are applicable to Node as well.

sgonzalez
  • 741
  • 6
  • 20
1

We follow the same process flow and currently use azure-ad-jwt-v2, which verifies the token on the server that was sent from the front end. Hope that helps!

northman
  • 31
  • 3
  • Any issues with the library needing to download certificates on every request? "Currently the version is not using caching, which means the certificates will be downloaded from Mirosoft with every verification request." – Rex Aug 09 '23 at 00:13
-2

I had a similar issue and found this library. It was published 2 months ago according to Npmjs.

Edit:

In response to comments, for this package to consider a msal token as valid, it does the following :

  • Verify if all required props are passed in.

  • Decode the token using the jsonwebtoken library.

  • Send a request to https://login.microsoftonline.com/{tenantId}/discovery/keys?appid={applicationId} to receive all public keys unique to your applicationId and tenantId. This action is cached after one successful attempt.

  • Verify all required access token claims: aud, tid,iss,scp, appid, exp.

  • If the comparison succeeds, the token is valid.

This and more info on what the package does to validate an Azure AD Token can be found here

Please note that validate means that all the prvious steps have been successful

Angel Rafael
  • 40
  • 4
  • 1
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/34534884) – Whit Waldo Jun 16 '23 at 19:59
  • 2
    Don't use this package, it does not validate the token's signature, you can make a token manually and it'll get accepted easily – rootKitty Jul 03 '23 at 13:24