This issue is for a:
- [ X ] documentation issue or request
I've been able to implement the 'sign in' logic within this repo.
But now I want to authenticate subsequent calls to my web app's API, i.e. my Express app's routes.
This repo doesn't seem to cover how to do this.
Below is a summary of what I have done so far.
Firstly, I followed the steps in this article to create the B2C tenant:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
To summarise, the steps are:
- Go to Azure Portal
- Create a B2C Tenant
- Create User Flows
- Register Application (and define the redirect URL as http://localhost:3000/redirect)
Then I followed the logic within this repo, which essentially sets up an Express app with:
- express-session
- msal-node
- Some routes
I am using my own simple template engine, but could deconstruct the logic in this repo for my own implementation.
So this is what I have so far:
-
When a user visits localhost:3000
, a page is returned with a link to 'signin'.
-
When a user clicks on the signin
link, the following route handles it:
app.get('/signin',(req, res)=>{
//Initiate a Auth Code Flow >> for sign in
//no scopes passed. openid, profile and offline_access will be used by default.
getAuthCode(process.env.SIGN_UP_SIGN_IN_POLICY_AUTHORITY, [], APP_STATES.LOGIN, res);
});
- The user signs in, and the redirect url is handled by the following route (truncated below to make the logic clearer):
app.get('/redirect',(req, res)=>{
//determine the reason why the request was sent by checking the state
if (req.query.state === APP_STATES.LOGIN) {
//prepare the request for authentication
tokenRequest.code = req.query.code;
confidentialClientApplication.acquireTokenByCode(tokenRequest).then((response)=>{
req.session.sessionParams = {user: response.account, idToken: response.idToken};
console.log("\nAuthToken: \n" + JSON.stringify(response));
// replacing this because I am using my own template system
//res.render('signin',{showSignInButton: false, givenName: response.account.idTokenClaims.given_name});
res.render('index', { page_html: page_html, givenName: response.account.idTokenClaims.given_name });
}).catch((error)=>{
console.log("\nErrorAtLogin: \n" + error);
});
}else if (req.query.state === APP_STATES.PASSWORD_RESET) {
...
}else if (req.query.state === APP_STATES.EDIT_PROFILE){
...
});
For reference, the format of the redirect URL in the address bar is:
http://localhost:3000/redirect?state=login&client_info=LOTS-OF-STUFF-P1&code=LOTS-OF-STUFF-P2..LOTS-OF-STUFF-P3.LOTS-OF-STUFF-P4.LOTS-OF-STUFF-P5
So, I am now lost in regards to how to authenticate subsequent calls to my app's API (Express routes).
Should I somehow be storing a token in the browser, that I can use on subsequent calls to my own API/Express routes?
There is another repo here that seems to be demonstrating how to authenticate web app API calls:
https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi
But I am confused why there are two repo's that essentially cover the same topic.
Additionally, the second repo uses the passport
and passport-azure-ad
packages and, unlike this repo, does not use the passport-azure-ad
or express-session
packages.
So, should I use the logic from one repo only, or both, and if both - how should I combine their logic?
To summarise, I just want to be able to:
- Allow users to sign in with Azure B2C
- Allow users to make subsequent calls to my API (Express routes) only if authenticated by Azure B2C