Is there a way to implement the Azure AD on-behalf-of (OBO) flow in NodeJS using a library like Passport?
I've found examples on how to use passport-azure-ad to secure a WebAPI in NodeJS (e.g. using the BearerStrategy), but I haven't found any examples of implementing the OBO flow in NodeJS specifically.
In my situation, I have a client application that sends a bearer auth token to my NodeJS service in the Authorization header. If my understanding is correct, if I then want to have my NodeJS service call the MS Graph API as the user, I have to exchange the token for a different one as part of the OBO flow.
In the examples I've found for a service that uses .NET, there is a library for this purpose (and you call something like AcquireTokenAsync with the Bearer token as the assertion). Is there a similar library that should be used if the service is NodeJS instead of .NET?
I know it can be done by issuing HTTP requests directly, I just didn't know if that was the preferred/only way to do it in NodeJS.
Thanks!
Actually, adal-node package does not support on-behalf-of flow. To implement that we have to make a new HTTP call and pass assertion in the request. I would suggest you to read the incoming token in your service and make a new http call to (https://login.microsoftonline.com/b2bc09c8-9386-47b1-8aexxxxxxxxxx/oauth2/token) endpoint with assertion to get the token for MS Graph API.
Below is the screenshot to get the token in on-behalf-of flow using postman.
Below is the code to get the access token using on-behalf-of flow in node.js
var qs = require("querystring");
var http = require("https");
var options = { "method": "POST", "hostname": [ "login", "microsoftonline", "com" ], "path": [ "b2bc09c8-9386-47xxxxxxxx", "oauth2", "token" ], "headers": { "Content-Type": "application/x-www-form-urlencoded", "cache-control": "no-cache", "Postman-Token": "739540c9-1e3d-4d74-bxxxxxxx" } };
var req = http.request(options, function (res) { var chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
var body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(qs.stringify({ grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', client_id: 'd1538209-a56f-4301-863dxxxxxxxxxxxxx', resource: 'https://graph.microsoft.com/', client_secret: 'NITLQThsHDlPb0FR+8oXxxxxxxxxxxxxxxxxxxx', scope: 'openid', assertion: 'incoming access token from native app', requested_token_use: 'on_behalf_of', undefined: undefined })); req.end();
You can extract the access token and use it against a resource in a bearer request. I hope this will solve your issue.
- Microsoft Power BI REST API PowerBINotAuthorizedException
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?
- Is it possible to add multiple audiences to AAD bearer token?
- Non-interactive way to authenticate to Azure AD using AADInternals?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Getting a token from Microsoft Intra ID with PostMan using MFA
- MSAL for non-SPA? Server side authentication?
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0