Fixed JSON parsing.

Author: brandwe

.settings/launch.json

@@ -0,0 +1,33 @@
+{
+	"version": "0.1.0",
+	// List of configurations. Add new configurations or edit existing ones.  
+	// ONLY "node" and "mono" are supported, change "type" to switch.
+	"configurations": [
+		{
+			// Name of configuration; appears in the launch configuration drop down menu.
+			"name": "Launch server.js",
+			// Type of configuration. Possible values: "node", "mono".
+			"type": "node",
+			// Workspace relative or absolute path to the program.
+			"program": "server.js",
+			// Automatically stop program after launch.
+			"stopOnEntry": true,
+			// Command line arguments passed to the program.
+			"args": [],
+			// Workspace relative or absolute path to the working directory of the program being debugged. Default is the current workspace.
+			"cwd": ".",
+			// Workspace relative or absolute path to the runtime executable to be used. Default is the runtime executable on the PATH.
+			"runtimeExecutable": null,
+			// Environment variables passed to the program.
+			"env": { }
+		}, 
+		{
+			"name": "Attach",
+			"type": "node",
+			// TCP/IP address. Default is "localhost".
+			"address": "localhost",
+			// Port to attach to.
+			"port": 5858
+		}
+	]
+}

node-server/.settings/launch.json

@@ -0,0 +1,33 @@
+{
+	"version": "0.1.0",
+	// List of configurations. Add new configurations or edit existing ones.  
+	// ONLY "node" and "mono" are supported, change "type" to switch.
+	"configurations": [
+		{
+			// Name of configuration; appears in the launch configuration drop down menu.
+			"name": "Launch server.js",
+			// Type of configuration. Possible values: "node", "mono".
+			"type": "node",
+			// Workspace relative or absolute path to the program.
+			"program": "server.js",
+			// Automatically stop program after launch.
+			"stopOnEntry": true,
+			// Command line arguments passed to the program.
+			"args": [],
+			// Workspace relative or absolute path to the working directory of the program being debugged. Default is the current workspace.
+			"cwd": ".",
+			// Workspace relative or absolute path to the runtime executable to be used. Default is the runtime executable on the PATH.
+			"runtimeExecutable": null,
+			// Environment variables passed to the program.
+			"env": { }
+		}, 
+		{
+			"name": "Attach",
+			"type": "node",
+			// TCP/IP address. Default is "localhost".
+			"address": "localhost",
+			// Port to attach to.
+			"port": 5858
+		}
+	]
+}

node-server/lib/metadata.js

@@ -25,7 +25,7 @@ var async = require('async');
 // Logging
 
 var bunyan = require('bunyan');
-var log = bunyan.createLogger({name: 'Microsoft OpenID Connect Passport Strategy'});
+var log = bunyan.createLogger({name: 'Microsoft OpenID Connect: Passport Strategy: Metadata Parser'});
 
 var Metadata = function (url, authtype) {
 
@@ -40,7 +40,7 @@ var Metadata = function (url, authtype) {
   this.url = url;
   this.metadata = null;
   this.authtype = authtype;
-  log.info(authtype, 'Metadata requested for authentication type');
+  log.info('Metadata requested for authentication type', authtype);
 };
 
 Object.defineProperty(Metadata, 'url', {
@@ -104,14 +104,13 @@ Metadata.prototype.updateOidcMetadata = function(doc, next) {
   try {
     this.oidc = {};
 
-    var issuer = doc['issuer'];
-    var keyDescriptor = aadutils.getElement(idp[0], 'keys');
+    this.oidc.issuer = doc['issuer'];
+    this.oidc.keyURL = doc['jwks_uri'];
+    this.oidc.algorithm = doc['id_token_signing_alg_values_supported'];
+
+    log.info("algorithm we will use is: ", this.oidc.algorithm);
+    log.info("the Keys are located at: ", this.oidc.keyURL);
 
-    // copy the x509 certs from the metadata
-    this.oidc.certs = [];
-    for (var j=0;j<keyDescriptor.length;j++) {
-      this.oidc.certs.push(keyDescriptor[j].KeyInfo[0].X509Data[0].X509Certificate[0]);
-    }
     next(null);
   } catch (e) {
     next(new Error('Invalid Open ID Connect Federation Metadata ' + e.message));
@@ -160,12 +159,18 @@ Metadata.prototype.fetch = function(callback) {
         } else if(response.statusCode !== 200) {
           next(new Error("Error:" + response.statusCode +  " Cannot get AAD Federation metadata from " + self.url));
         } else {
-          log.info(body, "retreived");
+          log.info("***********");
+          log.info("");
+          log.info(body);
+          log.info("");
+          log.info("***********");
           next(null, body);
         }
       });
     },
     function(body, next){
+
+      log.info("Parsing metadata for authtype: " + self.authtype);
       // parse the AAD Federation metadata xml
 
       if(self.authtype == "saml" || self.authtype == "wsfed") {
@@ -177,34 +182,28 @@ Metadata.prototype.fetch = function(callback) {
         next(err);
 
       });
-    } else if(self.authtype == "oidc") {
-      log.info(body, "Parsing JSON retreived from the endpoint");
-      JSON.parse(body, function (err, data) {
-        self.metatdata = data;
-        next(err);
-      });
 
-    } else {
-
-       next(new Error("Error: No Authentication type specified to metadata parser. Valid types are saml, wsfed, or odic"));
-    }
+    } else if(self.authtype == "oidc") {
+      log.info("Parsing JSON retreived from the endpoint");
+      self.metadata =  JSON.parse(body);
 
-    },
+    } else { next(new Error("No Authentication type specified to metadata parser. Valid types are saml, wsfed, or odic")); }
 
+  },
     function(next){
-      if(self.authtype = "saml") {
+      if(self.authtype == "saml") {
       // update the SAML SSO endpoints and certs from the metadata
       self.updateSamlMetadata(self.metatdata, next);
     }},
     function(next){
-      if(self.authtype = "wsfed") {
+      if(self.authtype == "wsfed") {
       // update the SAML SSO endpoints and certs from the metadata
       self.updateWsfedMetadata(self.metatdata, next);
     }},
     function(next){
-      if(self.authtype = "oidc") {
+      if(self.authtype == "oidc") {
       self.updateOidcMetadata(self.metadata, next);
-    }},
+    }}
   ], function (err) {
     // return err or success (err === null) to callback
     callback(err);

node-server/lib/oidc_strategy.js

@@ -29,9 +29,56 @@ var jwt = require('jsonwebtoken');
 var request = require('request');
 var Metadata = require('./metadata').Metadata;
 
-var log = bunyan.createLogger({name: 'Microsoft OpenID Connect Passport Strategy'});
+var log = bunyan.createLogger({name: 'Microsoft OpenID Connect: Passport Strategy'});
+/**
+* Applications must supply a `verify` callback, for which the function
+* signature is:
+*
+*     function(token, done) { ... }
+*
+* `token` is the verified and decoded bearer token provided as a credential.
+* The verify callback is responsible for finding the user who posesses the
+* token, and invoking `done` with the following arguments:
+*
+*     done(err, user, info);
+*
+* If the token is not valid, `user` should be set to `false` to indicate an
+* authentication failure.  Additional token `info` can optionally be passed as
+* a third argument, which will be set by Passport at `req.authInfo`, where it
+* can be used by later middleware for access control.  This is typically used
+* to pass any scope associated with the token.
+*
+* Options:
+*
+*   - `realm`    authentication realm, defaults to "Users"
+*   - `scope`    list of scope values indicating the required scope of the
+*                access token for accessing the requested resource
+*   - `audience` if you want to check JWT audience (aud), provide a value here
+*   - `issuer`   if you want to check JWT issuer (iss), provide a value here
+*
+* Examples:
+*
+*     passport.use(new JwtBearerStrategy(
+*       secretOrPublicKey
+*       function(token, done) {
+*         User.findById(token.sub, function (err, user) {
+*           if (err) { return done(err); }
+*           if (!user) { return done(null, false); }
+*           return done(null, user, token);
+*         });
+*       }
+*     ));
+*
+* For further details on HTTP Bearer authentication, refer to [The OAuth 2.0 Authorization Protocol: Bearer Tokens](http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer)
+* For further details on JSON Web Token, refert to [JSON Web Token](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token)
+*
+* @param {object} options - The Options.
+* @param {Function} verify - The verify callback.
+* @constructor
+*/
+
+function Strategy(options, verify) {
 
-function Strategy(options, callback, verify) {
 
 // You can provide your own cert if you don't want to use Azure AD's certificate from our Identity servers (just in case you're using this for your own things!)
 
@@ -42,7 +89,7 @@ if(options.publicCert) {
 if(options.metadataurl) {
 
   log.info(options.metadataurl, 'metadata url provided to Strategy');
-  this.metadata = new Metadata(options.metadataurl, "odic");
+  this.metadata = new Metadata(options.metadataurl, "oidc");
 }
 
 if (!options.certificate && !options.metadataurl) {
@@ -51,77 +98,82 @@ if (!options.certificate && !options.metadataurl) {
  }
 
 
-if (typeof callback == 'function') {
-   verify = callback;
-//   callback = {};
- }
-
     // Passport requires a verify function
 
     if (!verify) {
       throw new TypeError('OIDCBearerStrategy requires a verify callback. Do not cheat!');
     }
 
-    this.metadata.fetch(callback);
-    log.info(this.metadata,'Metadata returned');
+    this.certs = [];
 
-function requestToUrl(callback) {
+    // Token validation settings. Hopefully most of these will be pulled from the metadata and this is not needed
 
-  async.waterfall([
-    function(next){
-      if(!this.metadata.saml0) {
-        this.metadata.fetch(next);
-        } else {
-          next(null);
-        }
-        target = "";
-        console.log(this.metadata);
-        }
-      ], function (err, target) {
-        return callback(err, target);
-      });
-    }
 
 
+// fetch metadata
 
+    if(this.metadata) {
+    this.metadata.fetch(function(err) {
+      if(err) {
+        log.warn('Error parsing metadata.', err);
+        return err;
+      } else {
+        log.info(this.metadata,'Metadata returned');
+        this.oidc = self.metadata.oidc;
+        this.keyURL = oidc.keyURL;
+        this.algothims = oidc.algorithm;
+      }
+    }); };
 
+  // fetch keys
 
 
 
+  var config = {
+ // The URL of the metadata document for your app. We will put the keys for token validation from the URL found in the jwks_uri tag of the in the metadata.
+algorithms: this.algorithms
 
+};
 
   function jwtVerify(req, token, done) {
   if (!options.passReqToCallback) {
     token = arguments[0];
     done = arguments[1];
     req = null;
+    log.info(token, 'was token going in to verification');
   }
 
-  requestToUrl(callback);
-  //  return pem.certToPEM(cert);
-  var PEMkey = "";
 
-  jwt.verify(token, PEMkey, options, function (err, token) {
-    if (err) {
-      if (err instanceof jwt.TokenExpiredError) {
-        log.warn('The access token provided to the server was expired');
-        done(null, false, 'The access token expired');
-      }
-      else if (err instanceof jwt.JsonWebTokenError) {
-        log.warn('Invalid token was provided to server: ' + err.message);
-        done(null, false, util.format('Invalid token (%s)', err.message));
+
+  var PEMkey = pem.certToPEM(this._oidc.certs[0]);
+  log.info(PEMkey, 'was the PEM returned');
+
+  jwt.verify(token, PEMkey, config, function (err, token) {
+      if (err) {
+        if (err instanceof jwt.TokenExpiredError) {
+          log.warn("Access token expired");
+          done(null, false, 'The access token expired');
+       }
+        else if (err instanceof jwt.JsonWebTokenError) {
+          log.warn("An error was received validating the token", err.message);
+         done(null, false, util.format('Invalid token (%s)', err.message));
+        }
+        else {
+          done(err, false);
+        }
       }
+
       else {
-        done(err, false);
-      }
-    } else {
+      log.info(token, 'was token going out of verification');
       if (options.passReqToCallback) {
+        log.info("We did pass Req back to Callback")
         verify(req, token, done);
       } else {
+        log.info("We did not pass Req back to Callback")
         verify(token, done);
       }
     }
-  });
+    });
 }
 
 

node-server/lib/validator.js

@@ -22,7 +22,7 @@
 // Logging
 
 var bunyan = require('bunyan');
-var log = bunyan.createLogger({name: 'Microsoft OpenID Connect Passport Strategy'});
+var log = bunyan.createLogger({name: 'Microsoft OpenID Connect Passport Strategy Validator'});
 
 var types = {};