I haven’t touch Node.js much lately, however, back while I have been working with it, I was always curious, how to leverage both Passport.js with Azure AD and using ADAL for Node.js together in order to have ADAL handle the tokens, refreshes, cache etc. In the end, I have come up with a solution which I am going to share below.
We have been migrating couple of projects to ASP.NET Core 2.0 recently. Amongst the major changes in ASP.NET Core 2.0, probably the biggest change has been done in the Authentication. I have written an article about cookie size in ASP.NET Core which explains the basic issue with too many claims in the identity. ASP.NET Core 2.0 OIDC addresses this by removing some of the token values from the identity on the background.
Based on my previous post about B2B guest access to application, I made another sample called MyGroups. I think it demonstrates practical usage of both B2B guest access, Office 365 Groups and Microsoft Graph.
MyGroups can be used to display all Office 365 Groups to which the user has been added and additionally list direct links to the group’s SharePoint site, which is something we have been in need of internally within our company.
In the HomeController, you can find the call which is being made to Microsoft Graph’s groups endpoint to get the group’s site information – it is being made in parallel to make the request shorter for the user – generally, on average, it took about 1 second to get the site details of each group.
If you would like to use the code, just go ahead and grab the source from GitHub!
Since Microsoft’s Azure AD got the Business-to-Business (B2B) functionality, it has enabled a broad variety of new scenarios to be developed. It for example makes sharing various resources and information within applications much more easier. Today we are going to investigate the way to build an application which is not only a multi-tenant one, but also supports the user to be member of multiple directories.
While working on a project, I stumbled upon an interesting issue – how to force the user to reauthenticate in an application – for example when accessing some sensitive information? While it may seem quite straightforward from the documentation of Azure AD, it is not that simple, and if you are using prompt=login to reauthenticate the user, I quite suggest you read on.
When building a Line Of Business (LOB) application, you are usually better off with implementing the customer’s current Identity Provider (IdP) which could be ADFS, Azure AD or some others. The benefits are clear – users use a single account for all the services, authenticate through a central point, can be more protected by conditional access policies and as a great benefit, you can leverage the existing data through Microsoft Graph for example. So while it is obvious why to use Single Sign On in your application, a little bit less discussed topic is about Single Sign Out (SLO).