Completed add AAD auth step

Author: jasonjoh

demo/graph-tutorial/.env.example

@@ -0,0 +1,8 @@
+OAUTH_APP_ID=YOUR_APP_ID_HERE
+OAUTH_APP_PASSWORD=YOUR_APP_PASSWORD_HERE
+OAUTH_REDIRECT_URI=http://localhost:3000/auth/callback
+OAUTH_SCOPES='profile offline_access user.read calendars.read'
+OAUTH_AUTHORITY=https://login.microsoftonline.com/common/
+OAUTH_ID_METADATA=v2.0/.well-known/openid-configuration
+OAUTH_AUTHORIZE_ENDPOINT=oauth2/v2.0/authorize
+OAUTH_TOKEN_ENDPOINT=oauth2/v2.0/token

demo/graph-tutorial/app.js

@@ -1,13 +1,101 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
 var createError = require('http-errors');
 var express = require('express');
 var path = require('path');
 var cookieParser = require('cookie-parser');
 var logger = require('morgan');
 var session = require('express-session');
 var flash = require('connect-flash');
+require('dotenv').config();
+
+var passport = require('passport');
+var OIDCStrategy = require('passport-azure-ad').OIDCStrategy;
+
+// Configure passport
+
+// In-memory storage of logged-in users
+// For demo purposes only, production apps should store
+// this in a reliable storage
+var users = {};
+
+// Passport calls serializeUser and deserializeUser to
+// manage users
+passport.serializeUser(function(user, done) {
+  // Use the OID property of the user as a key
+  users[user.profile.oid] = user;
+  done (null, user.profile.oid);
+});
+
+passport.deserializeUser(function(id, done) {
+  done(null, users[id]);
+});
+
+// <ConfigureOAuth2Snippet>
+// Configure simple-oauth2
+const oauth2 = require('simple-oauth2').create({
+  client: {
+    id: process.env.OAUTH_APP_ID,
+    secret: process.env.OAUTH_APP_PASSWORD
+  },
+  auth: {
+    tokenHost: process.env.OAUTH_AUTHORITY,
+    authorizePath: process.env.OAUTH_AUTHORIZE_ENDPOINT,
+    tokenPath: process.env.OAUTH_TOKEN_ENDPOINT
+  }
+});
+// </ConfigureOAuth2Snippet>
+
+// Callback function called once the sign-in is complete
+// and an access token has been obtained
+// <SignInCompleteSnippet>
+async function signInComplete(iss, sub, profile, accessToken, refreshToken, params, done) {
+  if (!profile.oid) {
+    return done(new Error("No OID found in user profile."));
+  }
+
+  try{
+    const user = await graph.getUserDetails(accessToken);
+
+    if (user) {
+      // Add properties to profile
+      profile['email'] = user.mail ? user.mail : user.userPrincipalName;
+    }
+  } catch (err) {
+    return done(err);
+  }
+
+  // Create a simple-oauth2 token from raw tokens
+  let oauthToken = oauth2.accessToken.create(params);
+
+  // Save the profile and tokens in user storage
+  users[profile.oid] = { profile, accessToken };
+  return done(null, users[profile.oid]);
+}
+// </SignInCompleteSnippet>
+
+// Configure OIDC strategy
+passport.use(new OIDCStrategy(
+  {
+    identityMetadata: `${process.env.OAUTH_AUTHORITY}${process.env.OAUTH_ID_METADATA}`,
+    clientID: process.env.OAUTH_APP_ID,
+    responseType: 'code id_token',
+    responseMode: 'form_post',
+    redirectUrl: process.env.OAUTH_REDIRECT_URI,
+    allowHttpForRedirectUrl: true,
+    clientSecret: process.env.OAUTH_APP_PASSWORD,
+    validateIssuer: false,
+    passReqToCallback: false,
+    scope: process.env.OAUTH_SCOPES.split(' ')
+  },
+  signInComplete
+));
 
 var indexRouter = require('./routes/index');
 var usersRouter = require('./routes/users');
+var authRouter = require('./routes/auth');
+var graph = require('./graph');
 
 var app = express();
 
@@ -52,7 +140,23 @@ app.use(express.urlencoded({ extended: false }));
 app.use(cookieParser());
 app.use(express.static(path.join(__dirname, 'public')));
 
+// Initialize passport
+app.use(passport.initialize());
+app.use(passport.session());
+
+// <AddProfileSnippet>
+app.use(function(req, res, next) {
+  // Set the authenticated user in the
+  // template locals
+  if (req.user) {
+    res.locals.user = req.user.profile;
+  }
+  next();
+});
+// </AddProfileSnippet>
+
 app.use('/', indexRouter);
+app.use('/auth', authRouter);
 app.use('/users', usersRouter);
 
 // catch 404 and forward to error handler

demo/graph-tutorial/graph.js

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+var graph = require('@microsoft/microsoft-graph-client');
+require('isomorphic-fetch');
+
+module.exports = {
+  getUserDetails: async function(accessToken) {
+    const client = getAuthenticatedClient(accessToken);
+
+    const user = await client.api('/me').get();
+    return user;
+  }
+};
+
+function getAuthenticatedClient(accessToken) {
+  // Initialize Graph client
+  const client = graph.Client.init({
+    // Use the provided access token to authenticate
+    // requests
+    authProvider: (done) => {
+      done(null, accessToken);
+    }
+  });
+
+  return client;
+}

demo/graph-tutorial/routes/auth.js

@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+var express = require('express');
+var passport = require('passport');
+var router = express.Router();
+
+/* GET auth callback. */
+router.get('/signin',
+  function  (req, res, next) {
+    passport.authenticate('azuread-openidconnect',
+      {
+        response: res,
+        prompt: 'login',
+        failureRedirect: '/',
+        failureFlash: true,
+        successRedirect: '/'
+      }
+    )(req,res,next);
+  }
+);
+
+// <CallbackRouteSnippet>
+router.post('/callback',
+  function(req, res, next) {
+    passport.authenticate('azuread-openidconnect',
+      {
+        response: res,
+        failureRedirect: '/',
+        failureFlash: true,
+        successRedirect: '/'
+      }
+    )(req,res,next);
+  }
+);
+// </CallbackRouteSnippet>
+
+router.get('/signout',
+  function(req, res) {
+    req.session.destroy(function(err) {
+      req.logout();
+      res.redirect('/');
+    });
+  }
+);
+
+module.exports = router;

demo/graph-tutorial/tokens.js

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// <TokensSnippet>
+module.exports = {
+  getAccessToken: async function(req) {
+    if (req.user) {
+      // Get the stored token
+      var storedToken = req.user.oauthToken;
+
+      if (storedToken) {
+        if (storedToken.expired()) {
+          // refresh token
+          var newToken = await storedToken.refresh();
+
+          // Update stored token
+          req.user.oauthToken = newToken;
+          return newToken.token.access_token;
+        }
+
+        // Token still valid, just return it
+        return storedToken.token.access_token;
+      }
+    }
+  }
+};
+// </TokensSnippet>