使用Node通过Azure AD进行身份验证

Question

I have a Native Client Application setup in my Azure Active Directory environment. I am trying to write a Node app for Utility purposes to interact with the Azure Management APIs. My challenge is just authenticating my app. At this time, I have:

let azure = {
  clientId: '[only-for-my-eyes]',
  key: '[only-for-my-eyes]',
  tenantDomain: 'mydomain.onmicrosoft.com',
  tenantId: '[only-for-my-eyes]'
};

let authenticationRequest = {
  url: `https://login.microsoftonline.com/${azure.tenantDomain}/oauth2/v2.0/authorize`,
  headers: {
    'Content-Type':'application/x-www-form-urlencoded'
  },            
  formData: {
    response_type: 'code',
    response_mode: 'form_post',
    grant_type:'client_credentials',
    resource: 'https://management.azure.com',
    client_id: azure.clientId,
    client_secret: azure.key
  }
};

request.post(authenticationRequest, function (error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log(body);
  } else {
    console.log(response.statusCode);
    console.log(response.statusMessage);
  }
});

When the above runs, the 200 status code block is executed. But, it just prints out a bunch of HTML. If I'm looking at it correctly, it looks like the HTML of the login screen. I'm trying to get an access token that I can pass to the management APIs.

What am I missing?

Answer 1

I believe that particular endpoint is intended for a GET with those given parameters, not a POST. I suspect what you're seeing is probably just the generic error message:

Sorry, but we're having trouble signing you in.

We received a bad request.

Answer 2

What you are trying to do is to call the authorization page with a POST request. You don't have to send a POST (or GET) request here, you must redirect your user to that authorization URL.

In addition, you must have a redirect URI (I don't see it in your azure object). This redirect URI is a callback to your application. For the rest of my answer, let say it is stored in azure.redirectUri

let url = 'https://login.microsoftonline.com/${azure.tenantDomain}/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&client_id={azureclient_id}&resource=https%3A%2F%2Fmanagement.azure.com&redirect_uri={azure.redirectUri}'
response.writeHead(302, {
    'Location': url
});
response.end();

The user will be redirected to the authorization page and will have to accept (or deny) your application request. Then the user is redirected back to your Node.js application ( azure.redirectUri ). As your response_mode is form_post , if the user accepted your application request, you will receive the authorization code in the body parameters.

With that code your application will be able to get an access token by calling the token endpoint.

Answer 3

Why not just use ARMClient ? All the nasty token business is taken care of.

From https://www.npmjs.com/package/armclient :

Initialization:

// ES5

var ArmClient = require('armclient');

var client = ArmClient({ 
  subscriptionId: '111111-2222-3333333',
  auth: ArmClient.clientCredentials({
    tenantId: '444444-555555-666666666',
    clientId: '777777-888888-999999999',
    clientSecret: 'aaaabbbbbccccc' // or servicePrincipalPassword 
  })
});

Get resources in your subscription:

client.get('https://management.azure.com/subscriptions/111-222-333-444/resourceGroups/lab/providers/Microsoft.Automation/automationAccounts', { 'api-version': '2015-10-31' })
  .then((res) => {
    console.log(res.body);
    console.log(res.headers);
  })
  .catch((err) => {
    console.log(err);
  });