Authentication using the OAuth 2.0 authorization code flow with the Microsoft Identity Platform (Azure AD) and @azure/msal-node in a Node.js backend
I want to implement authentication using the OAuth 2.0 authorization code flow with the Microsoft Identity Platform (Azure AD) and the @azure/msal-node library in a Node.js backend.
So I can call graph api on successful authentication.
I tried to adopt code from official example at https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-webapp-msal
Here is my code:
const express = require('express');
const { PublicClientApplication, LogLevel } = require('@azure/msal-node');
// Initialize the MSAL client with your authentication configuration
const msalConfig = {
auth: {
clientId: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`,
redirectUri: 'http://localhost:3000/redirect'
},
system: {
loggerOptions: {
loggerCallback(loglevel, message, containsPii) {
console.log(message);
},
piiLoggingEnabled: false,
logLevel: LogLevel.Info
}
}
};
const msalClient = new PublicClientApplication(msalConfig);
// Create an Express app
const app = express();
// Define a route for initiating the login process
app.get('/login', async (req, res) => {
const authCodeUrlParameters = {
scopes: ['openid', 'profile', 'offline_access', 'Calendars.Read'],
redirectUri: 'http://localhost:3000/redirect'
};
// Generate the authorization URL
const authUrl = await msalClient.getAuthCodeUrl(authCodeUrlParameters);
console.log('alok', authUrl)
// Redirect the user to the authorization URL
res.redirect(authUrl);
});
// Define a route for handling the redirect callback
app.get('/redirect', async (req, res) => {
const tokenRequest = {
code: req.query.code,
scopes: ['openid', 'profile', 'offline_access', 'Calendars.Read'],
redirectUri: 'http://localhost:3000/redirect'
};
try {
// Acquire an access token using the authorization code
const response = await msalClient.acquireTokenByCode(tokenRequest);
// use token now and save it for call graph api
res.send('Authentication successful!');
} catch (error) {
// Handle the token acquisition error
console.log(error);
res.send('Authentication failed.');
}
});
// Start the server
app.listen(3000, () => {
console.log('Server started on http://localhost:3000');
});
After successful login I am getting the code via http://localhost:3000/redirect?code=something
But I am not able to get token in the line await msalClient.acquireTokenByCode(tokenRequest)
I am getting error
ServerError: invalid_client: 7000218 - [2023-05-19 12:26:56Z]: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: 1852de3e-3310-4503-a9c4-985e35880f00
Correlation ID: 22c042a3-0777-4151-a364-edad3312ccee
Timestamp: 2023-05-19 12:26:56Z - Correlation ID: 22c042a3-0777-4151-a364-edad3312ccee - Trace ID: 1852de3e-3310-4503-a9c4-985e35880f00
at ServerError.AuthError [as constructor] (/home/alok/tmp/test-node/node_modules/@azure/msal-common/dist/index.cjs.js:498:24)
at new ServerError (/home/alok/tmp/test-node/node_modules/@azure/msal-common/dist/index.cjs.js:3383:28)
at ResponseHandler.validateTokenResponse (/home/alok/tmp/test-node/node_modules/@azure/msal-common/dist/index.cjs.js:5414:19)
at AuthorizationCodeClient.<anonymous> (/home/alok/tmp/test-node/node_modules/@azure/msal-common/dist/index.cjs.js:5722:41)
at step (/home/alok/tmp/test-node/node_modules/@azure/msal-common/dist/index.cjs.js:79:23)
at Object.next (/home/alok/tmp/test-node/node_modules/@azure/msal-common/dist/index.cjs.js:60:53)
at fulfilled (/home/alok/tmp/test-node/node_modules/@azure/msal-common/dist/index.cjs.js:50:58)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
errorCode: 'invalid_client',
errorMessage: "7000218 - [2023-05-19 12:26:56Z]: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\n" +
'Trace ID: 1852de3e-3310-4503-a9c4-985e35880f00\r\n' +
'Correlation ID: 22c042a3-0777-4151-a364-edad3312ccee\r\n' +
'Timestamp: 2023-05-19 12:26:56Z - Correlation ID: 22c042a3-0777-4151-a364-edad3312ccee - Trace ID: 1852de3e-3310-4503-a9c4-985e35880f00',
subError: ''
}
I tried to get help from
- How do I resolve the error AADSTS7000218: The request body must contain the following parameter: 'client_secret' or 'client_assertion'
- AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret
- The request body must contain the following parameter: 'client_assertion' or 'client_secret
- ROPC flow: The request body must contain the following parameter: 'client_assertion' or 'client_secret'
Out of these none are helpful for me.
What I am missing exactly so I am getting this error?
Note that, you need to enable
Allow public client flowsto "Yes" and add redirect URI by selecting platform as Mobile and desktop applications while using PublicClientApplication.
I cloned this Github sample and registered one Azure AD application by adding redirect URI in Web platform as below:
When I ran the sample and authenticated successfully, it asked for consent like below:
After accepting the above consent, I got code value in address bar and same error as you like this:
When I checked the code terminal, I got similar logs as you like below:
To resolve the error, I removed redirect URI from Web platform and added it in Mobile and desktop applications platform by enabling Allow public client flows to "Yes" like below:
Redirect URI:
Enable public client flow:
Note that, there is no need to pass client secret in code if you make above changes while using PublicClientApplication.
When I ran the sample again after making above changes, I got below response like this:
In Browser:
In your case, check if you added redirect URI as Web and change it to Mobile and desktop applications platform by enabling Allow public client flows to "Yes".
- What is Firebase Firestore 'Reference' data type good for?
- Getting a 504/502 error on api requests in Nextjs deployed on Vercel
- Docker nodemon doesn't hot reload even though the volumes has been set up
- Issue with nested creation in Prisma
- How to get parameter for delete request in express node js
- How to install package from github repo in Yarn
- NVM not recognized after installation
- Deploying NodeJS application in IIS server
- How to auto-reload files in Node.js?
- NVM: Getting Permission denied with nvm install command
- Visual Studio 2022 Unknown thread id '0'
- opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ]
- Read all text from stdin to a string
- Could not find a declaration file for module 'bson'
- vscode cds watch throws regular expression error
- Is it possible to develop Google Chrome extensions using node.js?
- Can't build Docker image with Postgresql
- validate nested objects using class-validator in nest.js controller
- ReplicaSetNoPrimary MongooseServerSelectionError: getaddrinfo EAI_AGAIN mongodb-primary
- NextAuth: how to return custom errors without redirection
- TypeORM: Custom Many To Many Relationship
- fs.watch fired twice when I change the watched file
- Is it possible to create or update postman test scripts or variables when running newman from node js?
- How to compare using bcrypt in a db query using node.js and express
- How can you read modified class properties from another classes callback in javascript?
- Is it possible to stub an exported function in a CommonJS module using sinon?
- node-red Firebase send notification
- How to combine a Nginx and a NodeJS Docker container
- 'createConnection' is deprecated
- Cannot find module 'node:http' in node module