从passport-azure-ad.OIDCStrategy获取access_token用作承载令牌

Question

** Disclaimer -- I'm new to the world of oAuth and OpenIDConnect -- please be patient if I'm asking a stupid question here.

I want to create a SPA that will request data from an API. Both the SPA and API are hosted on the same nodejs server. I want anyone accessing data and/or the app to be authenticated with our AzureAD tenant on Office365.

Currently, I have the authentication piece working using passport-azure-ad.OIDCStrategy. However, in my app, I would also like to be able to access information from the Microsoft GRAPH api in the server side api code. However, the OIDC connection that I've already made does not seem to be enough to allow me access to the GRAPH api. It appears that maybe I need a jwt bearer token.

My question is, do I need to use the access token from the OIDC response to get a bearer token? If so, how do I go about this (on the server side -- nodejs)?

I tried viewing the example listed in passport-auth-ad for BearerStrategy v2 endpoint. What confuses me though is that it uses OIDCStrategy! Does that also return a bearer token? If so, am I already receiving everything I need in my first OIDCStrategy call?

Thanks for whatever help you can offer!

Update

https.request({
        hostname: "graph.microsoft.com",
        path: '/v1.0/me/messages',
        port: 443, 
        method: 'GET',
        headers: {Authorization: 'Bearer ' + req.user.token, Accept: "application/json"}
    },(rs) => {
        console.log("HTTPS Response Status: ", rs.statusCode);
        console.log("HTTPS Response Headers: ", rs.headers)
        rs.on('data', (d) => {
            res.send(d)
        })
    }).end();

Error Message:

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure.", ...

I confirmed that the token is the same token that was passed as the id_token in the auth callback from Azure. Any thoughts?

Update 2

A few more code snippets to help in diagnosing where I may be going wrong.

Strategy Config

//Still test code so user management not fully implemented
passport.use("azure", new azureStrategy({
    identityMetadata: 'https://login.microsoftonline.com/common/.well-known/openid-configuration',
    clientID: "*********************",
    responseType: 'code id_token',
    issuer: "https://sts.windows.net/****************/",
    responseMode: 'form_post',
    redirectUrl: "https://localhost:5070/auth/azure/callback",
    allowHttpForRedirectUrl: true,
    clientSecret: "***************" ,
    state: "************"
},
(iss, sub, profile, claims, accessToken, refreshToken, params, done) => {
    process.nextTick(() => {
        var user = usvc.findUserByAltId(profile.oid, "azure");
        if(!user){

        }
    })
    done(null, {id: profile.oid, name: profile.displayName, email: profile.upn, photoURL: "", token: params.id_token });
}));

Route Definitions

app.get("/auth/azure", azure.passport.authenticate(
 'azure', {scope: ['Mail.Read','User.Read'], failureRedirect: '/'}))

app.post("/auth/azure/callback", azure.passport.authenticate(
  "azure", {scope: ['Mail.Read','User.Read'], failureRedirect: "/error.html"}),
(req, res) => {res.redirect("/user")})

Answer 1

The OpenIDConnect work grand flow also will returns a JWT token for Authentication & Authorization. You can use the id_token in Authentication header for the resources. However, some operations in Graph APIs require an administrator permission.

You can try to run the following script in PowerShell to upgrade your Azure AD application's privilege.

Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId