We are trying to use @hapi/bell on our back-end routes to provide authorization. The authentication strategy uses azure as provider and the scheme is bell
This is how I register the strategy. The clientId, clientSecret, tenantId and password are hidden for obvious reasons
server.auth.strategy('azureAD', 'bell', {
provider: 'azure',
clientId: '...',
clientSecret: '...',
tenantId: '...',
password: '...',
providerParams: {
response_type: 'code'
},
scope: ['openid', 'offline_access', 'profile', 'User.Read']
})
When I run the server, I get the following error:
{ [ValidationError: "tenantId" is not allowed] ...
Now, looking into the azure portal, we definitely want to be supporting accounts only inside the organisation i.e. single-tenant.
If I remove the tenantId option and restart the server I get CORS error which essentially says that our app is not configured as a multi-tenant application and we need to use a tenant-specific endpoint or configure the application to be multi-tenant. Adding the tenantId, however, says that it is not allowed.
Any guidance as to why this is happening will be highly appreciated.
I found out that instead of registering the strategy as I have shown in the question the following could be done:
const custom = Bell.providers.azure({ tenant: '...' })
server.auth.strategy('azureAD', 'bell', {
provider: custom,
clientId: '...',
clientSecret: '...',
password: '...',
isSecure: false, // look into this, not a good idea but required if not using HTTPS
providerParams: {
response_type: 'code'
},
scope: ['openid', 'offline_access', 'profile', 'User.Read']
})
This gets rid of the "tenantId" is not allowed error, however, we now get a different error stating Authentication failed due to: Missing custom request token cookie.
Bell suggests that a common solution is to combine bell with the hapi-auth-cookie authentication scheme plugin, so now this is something to look into.