Search code examples
node.jsazurepassport.js

Loging out of Azure Passport authentication Node js

I have a node js application in which we have used azure login with passport authentication.

I have successfully logged in using azure and the application is working fine.

But, when I logged out and give the url to a page - it checks for authentication and automatically go to that page without asking for login.

Once I logged in my url contains below query string 1. session_state 2. code 3. state 4. token

Log in Code:

app.get('/login', passport.authenticate('azuread-openidconnect', { failureRedirect: '/' }), function (req, res) {
res.sendFile(path.join(__dirname+'/index.html'));

});

Logout code:

app.get('/logout', function (req, res) {
    req.session.destroy();
    req.logout();
    res.redirect('/');
});

When i logout the page redirects to my index page. Then when i give '/login' to the url it takes me to the page without going to logging in page

Please help to get out of this...

Solution

  • This issue is caused by the Authorization Code Grant Flow of OAuth 2.0. Something like that there are any session on Azure AD OAuth 2.0 service. It is not the problem of passportjs or expressjs.

    We can have the following simple test, visit the authentication endpoint in browser, https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token%20code&client_id=<client_id>&redirect_uri=<redirect_uri>&response_mode=query&scope=openid

    You will need to fill the email and password first, after you finishing the login flow, the second time you visit the endpoint, you will not longer need to fill the email or password anymore.

    We can set the url param prompt to login in the authorize endpoint to force the users to re-authenticate every time.

    You can refer https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx#code-snippet-3 for the details.

    But in the azure passport oidcstrategy, we should modify the source code for add the param into the endpoint.

    After you install the passport-azure-ad module, open the file /node_modules/passport-azure-ad/lib/passport-azure-ad/oidcstrategy.js, at Line 545 (more or less), you can find the following code snippet:

          var params = {};
      if (self.authorizationParams) { params = self.authorizationParams(options); }
      params['response_type'] = config.responseType;
      log.info('We are sending the response_type: ', params['response_type']);
      params['client_id'] = config.clientID;
      params['redirect_uri'] = callbackURL;
      ...

    We can add the sentence params['prompt'] = 'login'; following the code snippet to add the support.

    Any further concern, please feel free to let me know.

    edit

    Is there any way to prompt login only when i logged out...

    I am not sure that do you mean, you want to check the user is authenticated when he visit login route, if is, do not prompt login flow?

    If so, you can custom a middleware to check the authenticated. E.G.:

    function checkAuthenticatedOnLogin(req,res,next){
  if (!req.isAuthenticated()) { 
    return next(); 
  }else{
    res.send('do not need login');
  }
}

app.get('/login',checkAuthenticatedOnLogin,
  passport.authenticate('azuread-openidconnect',{ failureRedirect: '/login' }),
  function(req, res) {
    log.info('Login was called in the Sample');
    res.redirect('/');
});