Merge pull request #25 from Azure-Samples/dev

merge dev to main

Author: derisen

CONTRIBUTING.md

@@ -1,4 +1,4 @@
-# Contributing to msal-express-wrapper
+# Contributing to microsoft-identity-express
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a
 Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
@@ -51,12 +51,12 @@ chances of your issue being dealt with quickly:
 * **Suggest a Fix** - if you can't fix the bug yourself, perhaps you can point to what might be
   causing the problem (line of code or commit)
 
-You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/Azure-Samples/msal-express-wrapper/issues/new.
+You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/Azure-Samples/microsoft-identity-express/issues/new.
 
 ### <a name="submit-pr"></a> Submitting a Pull Request (PR)
 Before you submit your Pull Request (PR) consider the following guidelines:
 
-* Search the repository (https://github.com/Azure-Samples/msal-express-wrapper/pulls) for an open or closed PR
+* Search the repository (https://github.com/Azure-Samples/microsoft-identity-express/pulls) for an open or closed PR
   that relates to your submission. You don't want to duplicate effort.
 
 * Make your changes in a new git fork:

README.md

@@ -7,7 +7,7 @@
 
 ---
 
-This project illustrates a simple wrapper around the [ConfidentialClientApplication](https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal_node.confidentialclientapplication.html) class of the [Microsoft Authentication Library for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node#microsoft-authentication-library-for-node-msal-node) (MSAL Node), in order to streamline routine authentication tasks such as login, logout and token acquisition, as well as securing routes and controlling access.
+This project illustrates a simple wrapper around the [ConfidentialClientApplication](https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal_node.confidentialclientapplication.html) class of the [Microsoft Authentication Library for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node#microsoft-authentication-library-for-node-msal-node) (MSAL Node), in order to streamline routine authentication tasks such as login, logout and token acquisition, as well as securing routes and controlling access. In doing so it takes inspiration from the [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) with respect to developer experience.
 
 This is an open source project. [Suggestions](https://github.com/Azure-Samples/msal-express-wrapper/issues/new) and [contributions](https://github.com/Azure-Samples/msal-express-wrapper/blob/dev/CONTRIBUTING.md) are welcome!
 
@@ -65,17 +65,18 @@ const appSettings = {
         clientSecret: "CLIENT_SECRET" // alt. client certificate or key vault credential
     },
     authRoutes: {
-        redirect: "/redirect", // redirect URI configured on Azure AD
+        redirect: "/redirect", // redirect path or the full URI configured on Azure AD
         error: "/error", // errors will be redirected to this route
         unauthorized: "/unauthorized" // unauthorized access attempts will be redirected to this route
+        frontChannelLogout: "/sso_logout" // front-channel logout path or the full URI configured on Azure AD
     },
     remoteResources: {
         graphAPI: {
-            endpoint: "https://graph.microsoft.com/v1.0/me", // Microsoft Graph
+            endpoint: "https://graph.microsoft.com/v1.0/me", // Microsoft Graph API
             scopes: ["user.read"]
         },
         armAPI: {
-            endpoint: "https://management.azure.com/tenants?api-version=2020-01-01", // Azure REST API
+            endpoint: "https://management.azure.com/tenants?api-version=2020-01-01", // Azure Resource Manager REST API
             scopes: ["https://management.azure.com/user_impersonation"]
         }
     }
@@ -87,7 +88,7 @@ const appSettings = {
 ```javascript
 const appSettings = {
         // ...
-        policies: {
+        b2cPolicies: {
             signUpSignIn: {
                 authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/B2C_1_susi"
             }
@@ -102,7 +103,7 @@ Import the package and instantiate [AuthProvider](https://azure-samples.github.i
 ```javascript
 const express = require('express');
 const session = require('express-session');
-const msalWrapper = require('msal-express-wrapper');
+const MsIdExpress = require('microsoft-identity-express');
 
 const settings = require('./appSettings');
 const cache = require('./utils/cachePlugin');
@@ -121,11 +122,11 @@ app.use(session({
     }
 }));
 
-const authProvider = new msalWrapper.AuthProvider(settings, cache);
+const msid = new MsIdExpress.WebAppAuthClientBuilder(appSettings).build();
 
-app.use(authProvider.initialize()); // initialize default routes
+app.use(msid.initialize()); // initialize default routes
 
-app.use(router(authProvider)); // use authProvider in routers downstream
+app.use(router(msid)); // use authProvider in routers downstream
 
 app.listen(SERVER_PORT, () => console.log(`Server is listening on port ${SERVER_PORT}!`));
 ```
@@ -134,7 +135,7 @@ The wrapper stores user data on `req.session` variable. Below are some of the us
 
 * `req.session.isAuthenticated`: indicates if user is currently authenticated (*boolean*)
 * `req.session.account`: MSAL.js account object containing useful information like ID token claims (see [AccountInfo](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#accountinfo))
-* `req.session.remoteResources.{resourceName}`: Contains parameters related to an Azure AD / Azure AD B2C protected resource, including raw access tokens (see [Resource](https://azure-samples.github.io/msal-express-wrapper/docs/modules.html#resource))
+* `req.session.protectedResources.<resourceName>`: Contains parameters related to an Azure AD / Azure AD B2C protected resource, including raw access tokens (see [Resource](https://azure-samples.github.io/msal-express-wrapper/docs/modules.html#resource))
 
 ### Middleware
 
@@ -147,7 +148,7 @@ const express = require('express');
 const appSettings = require('../appSettings');
 const mainController = require('../controllers/mainController');
 
-module.exports = (authProvider) => {
+module.exports = (msid) => {
 
     // initialize router
     const router = express.Router();
@@ -166,13 +167,13 @@ module.exports = (authProvider) => {
 
     // auth routes
     router.get('/signin',
-        authProvider.signIn({
+        msid.signIn({
             successRedirect: "/",
         }),
     );
 
     router.get('/signout',
-        authProvider.signOut({
+        msid.signOut({
             successRedirect: "/",
         }),
     );
@@ -190,7 +191,7 @@ Simply add the [isAuthenticated()](https://azure-samples.github.io/msal-express-
 ```javascript
 // secure routes
 app.get('/id', 
-    authProvider.isAuthenticated({
+    msid.isAuthenticated({
             unauthorizedRedirect: "/sign-in"
         }
     ), // checks if authenticated via session
@@ -206,8 +207,8 @@ app.get('/id',
 
 ```javascript
     router.get('/profile',
-        authProvider.isAuthenticated(),
-        authProvider.getToken({
+        msid.isAuthenticated(),
+        msid.getToken({
             resource: {
                 endpoint: "https://graph.microsoft.com/v1.0/me",
                 scopes: [ "User.Read" ]
@@ -218,7 +219,7 @@ app.get('/id',
                 // use axios or a similar alternative
                 const response = await axios.default.get("https://graph.microsoft.com/v1.0/me", {
                     headers: {
-                        Authorization: `Bearer ${accessToken}`
+                        Authorization: `Bearer ${req.session["graphAPI"].accessToken}`
                     }
                 });
 
@@ -237,17 +238,15 @@ Use [hasAccess()](https://azure-samples.github.io/msal-express-wrapper/classes/a
 
 ```javascript
     router.use('/admin',
-        authProvider.isAuthenticated(),
-        authProvider.hasAccess({
+        msid.isAuthenticated(),
+        msid.hasAccess({
             accessRule: {
                 methods: [ "GET", "POST", "DELETE" ],
                 roles: [ "admin_role" ]
             }
         }),
         (req, res) => {
-            const users = User.getAllUsers();
-        
-            res.render('dashboard', { isAuthenticated: req.session.isAuthenticated, users: users });
+            res.render('dashboard', { isAuthenticated: req.session.isAuthenticated });
         }
     );
 ```

demo/App/app.js

@@ -7,10 +7,9 @@ const express = require('express');
 const session = require('express-session');
 const path = require('path');
 
-const settings = require('./appSettings');
-const cache = require('./utils/cachePlugin');
+const MsIdExpress = require('../../dist/index');
+const appSettings = require('./appSettings');
 
-const msalWrapper = require('../../dist/index');
 const router = require('./routes/router');
 
 const SERVER_PORT = process.env.PORT || 4000;
@@ -33,31 +32,31 @@ async function main() {
      * Using express-session middleware. Be sure to familiarize yourself with available options
      * and set the desired options. Visit: https://www.npmjs.com/package/express-session
      */
-    const sessionConfig = {
+    app.use(session({
         secret: 'ENTER_YOUR_SECRET_HERE',
         resave: false,
         saveUninitialized: false,
         cookie: {
-            secure: false, 
+            secure: false,
         }
-    }
-
-    if (app.get('env') === 'production') {
-        app.set('trust proxy', 1) // trust first proxy
-        sessionConfig.cookie.secure = true // serve secure cookies
-    }
-
-    app.use(session(sessionConfig));
+    }));
+    
+    app.set('trust proxy', 1) // trust first proxy
 
     try {
         // async building the wrapper as fetching credentials from key vault
-        const authProvider = await msalWrapper.AuthProvider.buildAsync(settings, cache);
+        const msid = await new MsIdExpress.WebAppAuthClientBuilder(appSettings)
+            .withKeyVaultCredentials({
+                credentialType: "clientSecret",
+                credentialName: "WrapperExampleSecret",
+                keyVaultUrl: "https://derisen-test-vault.vault.azure.net/"
+            }).buildAsync();
 
-        app.use(authProvider.initialize());
-    
-        app.use(router(authProvider));
-    
-        app.listen(SERVER_PORT, () => console.log(`Server is listening on port ${SERVER_PORT}!`));   
+        app.use(msid.initialize());
+
+        app.use(router(msid));
+
+        app.listen(SERVER_PORT, () => console.log(`Server is listening on port ${SERVER_PORT}!`));
     } catch (error) {
         console.log(error);
     }

demo/App/appSettings.js

@@ -2,18 +2,13 @@ const appSettings = {
     appCredentials: {
         clientId: "2a47e38d-600d-41c0-9d88-518326c9e4d7",
         tenantId: "cbaf2168-de14-4c72-9d88-f5f05366dbef",
-        keyVaultCredential: {
-            credentialType: "secret",
-            credentialName: "WrapperExampleSecret",
-            keyVaultUrl: "https://derisen-test-vault.vault.azure.net/"
-        }
     },
     authRoutes: {
         redirect: "/redirect",
         error: "/error",
         unauthorized: "/unauthorized"
     },
-    remoteResources: {
+    protectedResources: {
         graphAPI: {
             endpoint: "https://graph.microsoft.com/v1.0/me",
             scopes: ["user.read"]

demo/App/controllers/mainController.js

@@ -20,7 +20,7 @@ exports.getProfilePage = async(req, res, next) => {
     let profile;
 
     try {
-        profile = await fetchManager.callAPI(appSettings.remoteResources.graphAPI.endpoint, req.session.remoteResources["graphAPI"].accessToken);
+        profile = await fetchManager.callAPI(appSettings.protectedResources.graphAPI.endpoint, req.session.protectedResources["graphAPI"].accessToken);
         res.render('profile', { isAuthenticated: req.session.isAuthenticated, profile: profile });        
     } catch (error) {
         console.log(error);
@@ -32,7 +32,7 @@ exports.getTenantPage = async(req, res, next) => {
     let tenant;
 
     try {
-        tenant = await fetchManager.callAPI(appSettings.remoteResources.armAPI.endpoint, req.session.remoteResources["armAPI"].accessToken);
+        tenant = await fetchManager.callAPI(appSettings.protectedResources.armAPI.endpoint, req.session.protectedResources["armAPI"].accessToken);
         res.render('tenant', { isAuthenticated: req.session.isAuthenticated, tenant: tenant.value[0] });
     } catch (error) {
         console.log(error);

demo/App/data/cache.json

@@ -1,7 +1,7 @@
 const express = require('express');
 const mainController = require('../controllers/mainController');
 
-module.exports = (authProvider) => {
+module.exports = (msid) => {
 
     // initialize router
     const router = express.Router();
@@ -12,35 +12,36 @@ module.exports = (authProvider) => {
 
     // auth routes
     router.get('/signin',
-        authProvider.signIn({
-            successRedirect: "/",
+        msid.signIn({
+            postLoginRedirect: "/",
+            failureRedirect: "/signin"
         }),
     );
 
     router.get('/signout',
-        authProvider.signOut({
-            successRedirect: "/",
+        msid.signOut({
+            postLogoutRedirect: "/",
         }),
     );
 
     // secure routes
     router.get('/id',
-        authProvider.isAuthenticated(),
+        msid.isAuthenticated(),
         mainController.getIdPage
     );
 
     router.get('/profile',
-        authProvider.isAuthenticated(),
-        authProvider.getToken({
-            resource: authProvider.appSettings.remoteResources.graphAPI
+        msid.isAuthenticated(),
+        msid.getToken({
+            resource: msid.appSettings.protectedResources.graphAPI
         }),
         mainController.getProfilePage
     ); // get token for this route to call web API
 
     router.get('/tenant',
-        authProvider.isAuthenticated(),
-        authProvider.getToken({
-            resource: authProvider.appSettings.remoteResources.armAPI
+        msid.isAuthenticated(),
+        msid.getToken({
+            resource: msid.appSettings.protectedResources.armAPI
         }),
         mainController.getTenantPage
     ); // get token for this route to call web API

demo/App/routes/router.js

@@ -15,7 +15,6 @@ This sample demonstrates a Node.js & Express web application that authenticates
 | `App/app.js`                        | Application entry point.                                      |
 | `App/appSettings.json`              | Application settings and authentication parameters.           |
 | `App/routes/router.js`              | Application routes are defined here.                          |
-| `App/utils/cachePlugin.js`          | Example cache plugin implementation for saving cache to disk. |
 
 ## Prerequisites
 
@@ -71,12 +70,9 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi
 > In the steps below, "ClientID" is the same as "Application ID" or "AppId".
 
 1. Open the `./App/appSettings.json` file.
-1. Find the key `clientId` and replace the existing value with the **application ID** (clientId) of the `ExpressWebApp` application copied from the Azure Portal.
-1. Find the key `tenantId` and replace the existing value with your Azure AD **tenant ID**.
-1. Find the key `clientSecret` and replace the existing value with the key you saved during the creation of the `ExpressWebApp` app, in the Azure Portal.
-1. Find the key `homePageRoute` and replace the existing value with the route that you wish to be redirected after sign-in, e.g. `/home`.
-1. Find the key `redirectUri` and replace the existing value with the **Redirect URI** for `ExpressWebApp` app. For example, `http://localhost:4000/redirect`.
-1. Find the `postLogoutRedirectUri` and replace the existing value with the URI that you wish to be redirected after sign-out, e.g. `http://localhost:4000/`
+1. Find the key `appCredentials.clientId` and replace the existing value with the **application ID** (clientId) of the `ExpressWebApp` application copied from the Azure Portal.
+1. Find the key `appCredentials.tenantInfo` and replace the existing value with your Azure AD **tenant ID** (alternatively, `common` for all audiences).
+1. Find the key `authRoutes.redirect` and replace the existing value with the **Redirect URI** for `ExpressWebApp` app. For example, `http://localhost:4000/redirect` or simply `/redirect`.
 
 ## Running the sample