Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The adal-node package is a Node.js library that provides authentication and authorization functionalities using Azure Active Directory (AAD). It allows applications to authenticate users and acquire tokens to access Azure resources.
Authentication
This feature allows you to authenticate a client application using client credentials (client ID and client secret) and acquire an access token to access Azure resources.
const adal = require('adal-node');
const AuthenticationContext = adal.AuthenticationContext;
const authorityUrl = 'https://login.microsoftonline.com/common';
const resource = 'https://graph.windows.net';
const clientId = 'your-client-id';
const clientSecret = 'your-client-secret';
const context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCredentials(resource, clientId, clientSecret, (err, tokenResponse) => {
if (err) {
console.log('Error acquiring token: ', err);
} else {
console.log('Token acquired: ', tokenResponse);
}
});
Token Refresh
This feature allows you to refresh an expired access token using a refresh token, ensuring continuous access to Azure resources without requiring the user to re-authenticate.
const adal = require('adal-node');
const AuthenticationContext = adal.AuthenticationContext;
const authorityUrl = 'https://login.microsoftonline.com/common';
const resource = 'https://graph.windows.net';
const clientId = 'your-client-id';
const refreshToken = 'your-refresh-token';
const context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithRefreshToken(refreshToken, clientId, null, resource, (err, tokenResponse) => {
if (err) {
console.log('Error refreshing token: ', err);
} else {
console.log('Token refreshed: ', tokenResponse);
}
});
User Authentication
This feature allows you to generate an authentication URL for user login. The user navigates to this URL to authenticate and authorize the application to access Azure resources on their behalf.
const adal = require('adal-node');
const AuthenticationContext = adal.AuthenticationContext;
const authorityUrl = 'https://login.microsoftonline.com/common';
const resource = 'https://graph.windows.net';
const clientId = 'your-client-id';
const redirectUri = 'http://localhost:3000/callback';
const context = new AuthenticationContext(authorityUrl);
const authUrl = context.getAuthCodeUrl({
response_type: 'code',
client_id: clientId,
redirect_uri: redirectUri,
resource: resource
});
console.log('Navigate to: ', authUrl);
The msal (Microsoft Authentication Library) package provides similar functionalities to adal-node but is more modern and supports a wider range of authentication scenarios, including single-page applications (SPA), mobile applications, and server-side applications. It is the recommended library for new applications.
The passport-azure-ad package is a collection of Passport strategies for authenticating with Azure Active Directory. It provides a more integrated approach for applications using the Passport.js middleware for authentication in Node.js applications.
The azure-identity package is part of the Azure SDK for JavaScript and provides a unified way to authenticate and acquire tokens for Azure services. It supports various authentication methods, including managed identities, service principals, and interactive user authentication.
This library, ADAL for Node.js, will no longer receive new feature improvements. Instead, use the new library MSAL for Node.js.
Feedback |
---|
MSAL for Node.js is the new authentication library to be used with the Microsoft identity platform
Building on top of ADAL, MSAL works with the new and Open ID Connect certified Azure AD V2 endpoint and the new social identity solution from Microsoft, Azure AD B2C.
ADAL for Node.js is in maintenance mode and no new features will be added to the ADAL library anymore. All our ongoing efforts will be focused on improving the new MSAL for Node.js. MSAL’s documentation also contains a migration guide which simplifies upgrading from ADAL for Node.js.
The ADAL for node.js library makes it easy for node.js applications to authenticate to AAD in order to access AAD protected web resources. It supports 3 authentication modes shown in the quickstart code below.
You can find the changes for each version in the change log.
We provide a full suite of sample applications and documentation on GitHub to help you get started with learning the Azure Identity system. This includes tutorials for native clients such as Windows, Windows Phone, iOS, OSX, Android, and Linux. We also provide full walkthroughs for authentication flows such as OAuth2, OpenID Connect, Graph API, and other awesome features.
We leverage Stack Overflow to work with the community on supporting Azure Active Directory and its SDKs, including this one! We highly recommend you ask your questions on Stack Overflow (we're all on there!) Also browse existing issues to see if someone has had your question before.
We recommend you use the "adal" tag so we can see it! Here is the latest Q&A on Stack Overflow for ADAL: http://stackoverflow.com/questions/tagged/adal
We'd like your thoughts on this library. Please complete this short survey.
If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
All code is licensed under the Apache 2.0 license and we triage actively on GitHub. We enthusiastically welcome contributions and feedback. You can clone the repo and start contributing now.
$ npm install adal-node
By default, ADAL logging does not capture or log any PII or OII. The library allows app developers to turn this on by configuring the loggingWithPII
flag in the logging options. By turning on PII or OII, the app takes responsibility for safely handling highly-sensitive data and complying with any regulatory requirements.
var logging = require('adal-node').Logging;
//PII or OII logging disabled. Default Logger does not capture any PII or OII.
logging.setLoggingOptions({
log: function(level, message, error) {
// provide your own implementation of the log function
},
level: logging.LOGGING_LEVEL.VERBOSE, // provide the logging level
loggingWithPII: false // Determine if you want to log personal identification information. The default value is false.
});
//PII or OII logging enabled.
logging.setLoggingOptions({
log: function(level, message, error) {
// provide your own implementation of the log function
},
level: logging.LOGGING_LEVEL.VERBOSE,
loggingWithPII: true
});
See the website sample for a complete bare bones express based web site that makes use of the code below.
var AuthenticationContext = require('adal-node').AuthenticationContext;
var clientId = 'yourClientIdHere';
var clientSecret = 'yourAADIssuedClientSecretHere'
var authorityHostUrl = 'https://login.windows.net';
var tenant = 'myTenant';
var authorityUrl = authorityHostUrl + '/' + tenant;
var redirectUri = 'http://localhost:3000/getAToken';
var resource = '00000002-0000-0000-c000-000000000000';
var templateAuthzUrl = 'https://login.windows.net/' +
tenant +
'/oauth2/authorize?response_type=code&client_id=' +
clientId +
'&redirect_uri=' +
redirectUri +
'&state=<state>&resource=' +
resource;
function createAuthorizationUrl(state) {
return templateAuthzUrl.replace('<state>', state);
}
// Clients get redirected here in order to create an OAuth authorize url and redirect them to AAD.
// There they will authenticate and give their consent to allow this app access to
// some resource they own.
app.get('/auth', function(req, res) {
crypto.randomBytes(48, function(ex, buf) {
var token = buf.toString('base64').replace(/\//g,'_').replace(/\+/g,'-');
res.cookie('authstate', token);
var authorizationUrl = createAuthorizationUrl(token);
res.redirect(authorizationUrl);
});
});
// After consent is granted AAD redirects here. The ADAL library is invoked via the
// AuthenticationContext and retrieves an access token that can be used to access the
// user owned resource.
app.get('/getAToken', function(req, res) {
if (req.cookies.authstate !== req.query.state) {
res.send('error: state does not match');
}
var authenticationContext = new AuthenticationContext(authorityUrl);
authenticationContext.acquireTokenWithAuthorizationCode(
req.query.code,
redirectUri,
resource,
clientId,
clientSecret,
function(err, response) {
var errorMessage = '';
if (err) {
errorMessage = 'error: ' + err.message + '\n';
}
errorMessage += 'response: ' + JSON.stringify(response);
res.send(errorMessage);
}
);
});
See the client credentials sample.
var AuthenticationContext = require('adal-node').AuthenticationContext;
var authorityHostUrl = 'https://login.windows.net';
var tenant = 'myTenant.onmicrosoft.com'; // AAD Tenant name.
var authorityUrl = authorityHostUrl + '/' + tenant;
var applicationId = 'yourApplicationIdHere'; // Application Id of app registered under AAD.
var clientSecret = 'yourAADIssuedClientSecretHere'; // Secret generated for app. Read this environment variable.
var resource = '00000002-0000-0000-c000-000000000000'; // URI that identifies the resource for which the token is valid.
var context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCredentials(resource, applicationId, clientSecret, function(err, tokenResponse) {
if (err) {
console.log('well that didn\'t work: ' + err.stack);
} else {
console.log(tokenResponse);
}
});
We have moved to axios
as the package of choice for HTTP requests for adal-node from request
since the npm support for request
is discontinued. However we noticed later that axios
does not support proxies -filed here. Since we are making only security changes to adal-node
, we are refraining from making any changes. However, we do recommend using https-proxy-agent
as suggested in the issue linked in case you need proxies for your application.
Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License")
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
FAQs
Windows Azure Active Directory Client Library for node
We found that adal-node demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.