Enable authentication in your own Node.js web API by using Azure Active Directory B2C

In this article, you learn how to create your web app that calls your web API. The web API needs to be protected by Azure Active Directory B2C (Azure AD B2C). To authorize access to a the web API, you serve requests that include a valid access token that's issued by Azure AD B2C.

Prerequisites

• Before you begin read and complete the steps in the Configure authentication in a sample Node.js web API by using Azure AD B2C. Then, follow the steps in this article to replace the sample web app and web API with your own web API.

• Visual Studio Code, or another code editor

• Node.js runtime

Step 1: Create a protected web API

Follow these steps to create your Node.js web API.

Step 1.1: Create the project

Use Express for Node.js to build a web API. To create a web API, do the following:

1. Create a new folder named TodoList.
2. Under the TodoList folder, create a file named index.js.
3. In a command shell, run npm init -y. This command creates a default package.json file for your Node.js project.
4. In the command shell, run npm install express. This command installs the Express framework.

Step 1.2: Install dependencies

Add the authentication library to your web API project. The authentication library parses the HTTP authentication header, validates the token, and extracts claims. For more information, review the documentation for the library.

To add the authentication library, install the packages by running the following command:

npm install passport
npm install passport-azure-ad
npm install morgan

The morgan package is an HTTP request logger middleware for Node.js.

Step 1.3: Write the web API server code

In the index.js file, add the following code:

const express = require('express');
const morgan = require('morgan');
const passport = require('passport');
const config = require('./config.json');
const todolist = require('./todolist');
const cors = require('cors');

//<ms_docref_import_azuread_lib>
const BearerStrategy = require('passport-azure-ad').BearerStrategy;
//</ms_docref_import_azuread_lib>

global.global_todos = [];

//<ms_docref_azureadb2c_options>
const options = {
    identityMetadata: `https://${config.credentials.tenantName}.b2clogin.com/${config.credentials.tenantName}.onmicrosoft.com/${config.policies.policyName}/${config.metadata.version}/${config.metadata.discovery}`,
    clientID: config.credentials.clientID,
    audience: config.credentials.clientID,
    policyName: config.policies.policyName,
    isB2C: config.settings.isB2C,
    validateIssuer: config.settings.validateIssuer,
    loggingLevel: config.settings.loggingLevel,
    passReqToCallback: config.settings.passReqToCallback
}

//</ms_docref_azureadb2c_options>

//<ms_docref_init_azuread_lib>
const bearerStrategy = new BearerStrategy(options, (token, done) => {
        // Send user info using the second argument
        done(null, { }, token);
    }
);
//</ms_docref_init_azuread_lib>
const app = express();

app.use(express.json()); 

//enable CORS (for testing only -remove in production/deployment)
app.use((req, res, next) => {
    res.header('Access-Control-Allow-Origin', '*');
    res.header('Access-Control-Allow-Headers', 'Authorization, Origin, X-Requested-With, Content-Type, Accept');
    next();
});

app.use(morgan('dev'));

app.use(passport.initialize());

passport.use(bearerStrategy);

// To do list endpoints
app.use('/api/todolist', todolist);

//<ms_docref_protected_api_endpoint>
// API endpoint, one must present a bearer accessToken to access this endpoint
app.get('/hello',
    passport.authenticate('oauth-bearer', {session: false}),
    (req, res) => {
        console.log('Validated claims: ', req.authInfo);
    
          
        // Service relies on the name claim.  
        res.status(200).json({'name': req.authInfo['name']});
    }
);
//</ms_docref_protected_api_endpoint>

//<ms_docref_anonymous_api_endpoint>
// API anonymous endpoint, returns a date to the caller.
app.get('/public', (req, res) => res.send( {'date': new Date() } ));
//</ms_docref_anonymous_api_endpoint>

const port = process.env.PORT || 5000;

app.listen(port, () => {
    console.log('Listening on port ' + port);
});

Take note of the following code snippets in the index.jsfile:

• Imports the passport Microsoft Entra library

  const BearerStrategy = require('passport-azure-ad').BearerStrategy;
  

• Sets the Azure AD B2C options

  const options = {
      identityMetadata: `https://${config.credentials.tenantName}.b2clogin.com/${config.credentials.tenantName}.onmicrosoft.com/${config.policies.policyName}/${config.metadata.version}/${config.metadata.discovery}`,
      clientID: config.credentials.clientID,
      audience: config.credentials.clientID,
      policyName: config.policies.policyName,
      isB2C: config.settings.isB2C,
      validateIssuer: config.settings.validateIssuer,
      loggingLevel: config.settings.loggingLevel,
      passReqToCallback: config.settings.passReqToCallback
  }
  

• Instantiate the passport Microsoft Entra library with the Azure AD B2C options

  const bearerStrategy = new BearerStrategy(options, (token, done) => {
          // Send user info using the second argument
          done(null, { }, token);
      }
  );
  

• The protected API endpoint. It serves requests that include a valid Azure AD B2C-issued access token. This endpoint returns the value of the name claim within the access token.

  // API endpoint, one must present a bearer accessToken to access this endpoint
  app.get('/hello',
      passport.authenticate('oauth-bearer', {session: false}),
      (req, res) => {
          console.log('Validated claims: ', req.authInfo);
      
            
          // Service relies on the name claim.  
          res.status(200).json({'name': req.authInfo['name']});
      }
  );
  

• The anonymous API endpoint. The web app can call it without presenting an access token. Use it to debug your web API with anonymous calls.

  // API anonymous endpoint, returns a date to the caller.
  app.get('/public', (req, res) => res.send( {'date': new Date() } ));
  

Step 1.4: Configure the web API

Add configurations to a configuration file. The file contains information about your Azure AD B2C identity provider. The web API app uses this information to validate the access token that the web app passes as a bearer token.

1. Under the project root folder, create a config.json file, and then add to it the following JSON object:

   {
       "credentials": {
           "tenantName": "fabrikamb2c",
           "clientID": "93733604-cc77-4a3c-a604-87084dd55348"
       },
       "policies": {
           "policyName": "B2C_1_susi"
       },
       "resource": {
           "scope": ["tasks.read"]
       },
       "metadata": {
           "authority": "login.microsoftonline.com",
           "discovery": ".well-known/openid-configuration",
           "version": "v2.0"
       },
       "settings": {
           "isB2C": true,
           "validateIssuer": true,
           "passReqToCallback": false,
           "loggingLevel": "info"
       }
   }
   

2. In the config.json file, update the following properties:

Section	Key	Value
credentials	tenantName	The first part of your Azure AD B2C tenant name (for example, fabrikamb2c).
credentials	clientID	The web API application ID. To learn how to get your web API application registration ID, see Prerequisites.
policies	policyName	The user flows, or custom policy. To learn how to get your user flow or policy, see Prerequisites.
resource	scope	The scopes of your web API application registration such as [tasks.read]. To learn how to get your web API scope, see Prerequisites.

Step 2: Create the web Node web application

Follow these steps to create the Node web app. This web app authenticates a user to acquire an access token that is used to call the Node web API you created in step 1:

Step 2.1: Create the node project

Create a folder to hold your node application, such as call-protected-api.

1. In your terminal, change directory into your node app folder, such as cd call-protected-api, and run npm init -y. This command creates a default package.json file for your Node.js project.

2. In your terminal, run npm install express. This command installs the Express framework.

3. Create more folders and files to achieve the following project structure:

   call-protected-api/
   ├── index.js
   └── package.json
   └── .env
   └── views/
       └── layouts/
           └── main.hbs
       └── signin.hbs
       └── api.hbs
   

   The views folder contains handlebars files for the web app's UI.

Step 2.2: Install the dependencies

In your terminal, install the dotenv, express-handlebars, express-session, and @azure/msal-node packages by running the following commands:

npm install dotenv
npm install express-handlebars
npm install express
npm install axios
npm install express-session
npm install @azure/msal-node

Step 2.3: Build web app UI components

1. In the main.hbs file, add the following code:

   <!DOCTYPE html>
   <html lang="en">
     <head>
       <meta charset="UTF-8">
       <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
       <title>Azure AD B2C | Enable authenticate on web API using MSAL for B2C</title>
   
       <!-- adding Bootstrap 4 for UI components  -->
       <!-- CSS only -->
       <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
       <link rel="SHORTCUT ICON" href="https://c.s-microsoft.com/favicon.ico?v2" type="image/x-icon">
     </head>
     <body>
       <nav class="navbar navbar-expand-lg navbar-dark bg-primary">
         <a class="navbar-brand" href="/">Microsoft Identity Platform</a>
           {{#if showSignInButton}}
               <div class="ml-auto">
                   <a type="button" id="SignIn" class="btn btn-success" href="/signin" aria-haspopup="true" aria-expanded="false">
                       Sign in to call PROTECTED API
                   </a>
                   <a type="button" id="SignIn" class="btn btn-warning" href="/api" aria-haspopup="true" aria-expanded="false">
                       Or call the ANONYMOUS API 
                    </a>
               </div>
           {{else}}
                   <p class="navbar-brand d-flex ms-auto">Hi {{givenName}}</p>
                   <a class="navbar-brand d-flex ms-auto" href="/signout">Sign out</a>
           {{/if}}
       </nav>
       <br>
       <h5 class="card-header text-center">MSAL Node Confidential Client application with Auth Code Flow</h5>
       <br>
       <div class="row" style="margin:auto" >
         {{{body}}}
       </div>
       <br>
       <br>
     </body>
   </html>
   

   The main.hbs file is in the layout folder and it should contain any HTML code that is required throughout your application. It implements UI built with the Bootstrap 5 CSS Framework. Any UI that changes from page to page, such as signin.hbs, is placed in the placeholder shown as {{{body}}}.

2. In the signin.hbs file, add the following code:

   <div class="col-md-3" style="margin:auto">
     <div class="card text-center">
       <div class="card-body">
         {{#if showSignInButton}}
   
         {{else}}
              <h5 class="card-title">You have signed in</h5>
             <a type="button" id="Call-api" class="btn btn-success" href="/api" aria-haspopup="true" aria-expanded="false">
                 Call the PROTECTED API
             </a>
         {{/if}}
       </div>
       </div>
     </div>
   </div>
   

3. In the api.hbs file, add the following code:

   <div class="col-md-3" style="margin:auto">
     <div class="card text-center bg-{{bg_color}}">
       <div class="card-body">
   
             <h5 class="card-title">{{data}}</h5>
   
       </div>
     </div>
   </div>
   

   This page displays the response from the API. The bg-{{bg_color}} class attribute in Bootstrap's card enables the UI to display a different background color for the different API endpoints.

Step 2.4: Complete web application server code

1. In the .env file, add the following code, which includes server http port, app registration details, and sign in and sign up user flow/policy details:

   SERVER_PORT=3000
   #web apps client ID
   APP_CLIENT_ID=<You app client ID here>
   #session secret
   SESSION_SECRET=sessionSecretHere
   #web app client secret
   APP_CLIENT_SECRET=<Your app client secret here>
   #tenant name
   TENANT_NAME=<your-tenant-name>
   #B2C sign up and sign in user flow/policy name and authority
   SIGN_UP_SIGN_IN_POLICY_AUTHORITY=https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<sign-in-sign-up-user-flow-name>
   AUTHORITY_DOMAIN=https://<your-tenant-name>.b2clogin.com
   #client redorect url
   APP_REDIRECT_URI=http://localhost:3000/redirect
   LOGOUT_ENDPOINT=https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<sign-in-sign-up-user-flow-name>/oauth2/v2.0/logout?post_logout_redirect_uri=http://localhost:3000
   

   Modify the values in the .env files as explained in Configure the sample web app

2. In your index.js file, add the following code:

   /*
    * Copyright (c) Microsoft Corporation. All rights reserved.
    * Licensed under the MIT License.
    */
   require('dotenv').config();
   const express = require('express');
   const session = require('express-session');
   const {engine}  = require('express-handlebars');
   const msal = require('@azure/msal-node');
   //Use axios to make http calls 
   const axios = require('axios');
   
   //<ms_docref_configure_msal>
   /**
    * Confidential Client Application Configuration
    */
    const confidentialClientConfig = {
       auth: {
           clientId: process.env.APP_CLIENT_ID, 
           authority: process.env.SIGN_UP_SIGN_IN_POLICY_AUTHORITY, 
           clientSecret: process.env.APP_CLIENT_SECRET,
           knownAuthorities: [process.env.AUTHORITY_DOMAIN], //This must be an array
           redirectUri: process.env.APP_REDIRECT_URI,
           validateAuthority: false
       },
       system: {
           loggerOptions: {
               loggerCallback(loglevel, message, containsPii) {
                   console.log(message);
               },
               piiLoggingEnabled: false,
               logLevel: msal.LogLevel.Verbose,
           }
       }
   };
   
   // Initialize MSAL Node
   const confidentialClientApplication = new msal.ConfidentialClientApplication(confidentialClientConfig);
   //</ms_docref_configure_msal>
   // Current web API coordinates were pre-registered in a B2C tenant.
   
   //<ms_docref_api_config>
   const apiConfig = {
       webApiScopes: [`https://${process.env.TENANT_NAME}.onmicrosoft.com/tasks-api/tasks.read`],
       anonymousUri: 'http://localhost:5000/public',
       protectedUri: 'http://localhost:5000/hello'
   };
   //</ms_docref_api_config>
   
   /**
    * The MSAL.js library allows you to pass your custom state as state parameter in the Request object
    * By default, MSAL.js passes a randomly generated unique state parameter value in the authentication requests.
    * The state parameter can also be used to encode information of the app's state before redirect. 
    * You can pass the user's state in the app, such as the page or view they were on, as input to this parameter.
    * For more information, visit: https://docs.microsoft.com/azure/active-directory/develop/msal-js-pass-custom-state-authentication-request
    */
   const APP_STATES = {
       LOGIN: 'login',
       CALL_API:'call_api'   
   }
   
   
   /** 
    * Request Configuration
    * We manipulate these two request objects below 
    * to acquire a token with the appropriate claims.
    */
    const authCodeRequest = {
       redirectUri: confidentialClientConfig.auth.redirectUri,
   };
   
   const tokenRequest = {
       redirectUri: confidentialClientConfig.auth.redirectUri,
   };
   
   
   /**
    * Using express-session middleware. Be sure to familiarize yourself with available options
    * and set them as desired. Visit: https://www.npmjs.com/package/express-session
    */
    const sessionConfig = {
       secret: process.env.SESSION_SECRET,
       resave: false,
       saveUninitialized: false,
       cookie: {
           secure: false, // set this to true on production
       }
   }
   //Create an express instance
   const app = express();
   
   //Set handlebars as your view engine
   app.engine('.hbs', engine({extname: '.hbs'}));
   app.set('view engine', '.hbs');
   app.set("views", "./views");
   
   app.use(session(sessionConfig));
   
   /**
    * This method is used to generate an auth code request
    * @param {string} authority: the authority to request the auth code from 
    * @param {array} scopes: scopes to request the auth code for 
    * @param {string} state: state of the application, tag a request
    * @param {Object} res: express middleware response object
    */
   
    const getAuthCode = (authority, scopes, state, res) => {
       // prepare the request
       console.log("Fetching Authorization code")
       authCodeRequest.authority = authority;
       authCodeRequest.scopes = scopes;
       authCodeRequest.state = state;
   
       //Each time you fetch Authorization code, update the authority in the tokenRequest configuration
       tokenRequest.authority = authority;
   
       // request an authorization code to exchange for a token
       return confidentialClientApplication.getAuthCodeUrl(authCodeRequest)
           .then((response) => {
               console.log("\nAuthCodeURL: \n" + response);
               //redirect to the auth code URL/send code to 
               res.redirect(response);
           })
           .catch((error) => {
               res.status(500).send(error);
           });
   }
   
   app.get('/', (req, res) => {
       res.render('signin', { showSignInButton: true });
   });
   
   
   
   app.get('/signin',(req, res)=>{ 
           //Initiate a Auth Code Flow >> for sign in
           //Pass the api scopes as well so that you received both the IdToken and accessToken
           getAuthCode(process.env.SIGN_UP_SIGN_IN_POLICY_AUTHORITY,apiConfig.webApiScopes, APP_STATES.LOGIN, res);
   });
   
   
   app.get('/redirect',(req, res)=>{    
       
       if (req.query.state === APP_STATES.LOGIN) {
           // prepare the request for calling the web API
           tokenRequest.authority = process.env.SIGN_UP_SIGN_IN_POLICY_AUTHORITY;
           tokenRequest.scopes = apiConfig.webApiScopes;
           tokenRequest.code = req.query.code;
           confidentialClientApplication.acquireTokenByCode(tokenRequest)
           .then((response) => {
               req.session.accessToken = response.accessToken;
               req.session.givenName = response.idTokenClaims.given_name;
               console.log('\nAccessToken:' + req.session.accessToken);
               res.render('signin', {showSignInButton: false, givenName: response.idTokenClaims.given_name});
           }).catch((error) => {
               console.log(error);
               res.status(500).send(error);
           });
       }else{
           res.status(500).send('We do not recognize this response!');
       }
   });
   
   //<ms_docref_api_express_route>
   app.get('/api', async (req, res) => {
       if(!req.session.accessToken){
           //User is not logged in and so they can only call the anonymous API
           try {
               const response = await axios.get(apiConfig.anonymousUri);
               console.log('API response' + response.data); 
               res.render('api',{data: JSON.stringify(response.data), showSignInButton: true, bg_color:'warning'});
           } catch (error) {
               console.error(error);
               res.status(500).send(error);
           }         
       }else{
           //Users have the accessToken because they signed in and the accessToken is still in the session
           console.log('\nAccessToken:' + req.session.accessToken);
           let accessToken = req.session.accessToken;
           const options = {
               headers: {
                   //accessToken used as bearer token to call a protected API
                   Authorization: `Bearer ${accessToken}`
               }
           };
   
           try {
               const response = await axios.get(apiConfig.protectedUri, options);
               console.log('API response' + response.data); 
               res.render('api',{data: JSON.stringify(response.data), showSignInButton: false, bg_color:'success', givenName: req.session.givenName});
           } catch (error) {
               console.error(error);
               res.status(500).send(error);
           }
       }     
   });
   
   //</ms_docref_api_express_route>
   
   /**
    * Sign out end point
   */
   app.get('/signout',async (req, res)=>{    
       logoutUri = process.env.LOGOUT_ENDPOINT;
       req.session.destroy(() => {
           res.redirect(logoutUri);
       });
   });
   app.listen(process.env.SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port !` + process.env.SERVER_PORT));
   

   The code in the index.js file consists of global variables and express routes.

   Global variables:

   • confidentialClientConfig: The MSAL configuration object, which is used to create the confidential client application object.

     /**
      * Confidential Client Application Configuration
      */
      const confidentialClientConfig = {
         auth: {
             clientId: process.env.APP_CLIENT_ID, 
             authority: process.env.SIGN_UP_SIGN_IN_POLICY_AUTHORITY, 
             clientSecret: process.env.APP_CLIENT_SECRET,
             knownAuthorities: [process.env.AUTHORITY_DOMAIN], //This must be an array
             redirectUri: process.env.APP_REDIRECT_URI,
             validateAuthority: false
         },
         system: {
             loggerOptions: {
                 loggerCallback(loglevel, message, containsPii) {
                     console.log(message);
                 },
                 piiLoggingEnabled: false,
                 logLevel: msal.LogLevel.Verbose,
             }
         }
     };
     
     // Initialize MSAL Node
     const confidentialClientApplication = new msal.ConfidentialClientApplication(confidentialClientConfig);
     

   • apiConfig: Contains webApiScopes property (it's value must be an array), which is the scopes configured in the web API, and granted to the web app. It also has URIs to the web API to be called, that is anonymousUri and protectedUri.

     const apiConfig = {
         webApiScopes: [`https://${process.env.TENANT_NAME}.onmicrosoft.com/tasks-api/tasks.read`],
         anonymousUri: 'http://localhost:5000/public',
         protectedUri: 'http://localhost:5000/hello'
     };
     

   • APP_STATES: A value included in the request that's also returned in the token response. Used to differentiate between responses received from Azure AD B2C.

   • authCodeRequest: The configuration object used to retrieve authorization code.

   • tokenRequest: The configuration object used to acquire a token by authorization code.

   • sessionConfig: The configuration object for express session.

   • getAuthCode: A method that creates the URL of the authorization request, letting the user input credentials and consent to the application. It uses the getAuthCodeUrl method, which is defined in the ConfidentialClientApplication class.

   Express routes:

   • /:
     • It's the entry to the web app, and renders the signin page.
   • /signin:
     • Signs in the user.
     • Calls getAuthCode() method and passes the authority for Sign in and sign up user flow/policy, APP_STATES.LOGIN, and apiConfig.webApiScopes to it.
     • It causes the end user to be challenged to enter their logins, or if the user doesn't have an account, they can sign up.
     • The final response resulting from this endpoint includes an authorization code from B2C posted back to the /redirect endpoint.
   • /redirect:
     • It's the endpoint set as Redirect URI for the web app in Azure portal.
     • It uses the state query parameter in Azure AD B2C's response, to differentiate between requests that are made from the web app.
     • If the app state is APP_STATES.LOGIN, the authorization code acquired is used to retrieve a token using the acquireTokenByCode() method. When requesting for a token using acquireTokenByCode method, you use the same scopes used while acquiring the authorization code. The acquired token includes an accessToken, idToken, and idTokenClaims. After you acquire the accessToken, you put it in a session for later use in to call the web API.
   • /api:
     • Calls the web API.
     • If the accessToken isn't in the session, call the anonymous API endpoint (http://localhost:5000/public), otherwise, call the protected API endpoint (http://localhost:5000/hello).
   • /signout:
     • Signs out the user.
     • clears the web app session is and makes an http call to the Azure AD B2C logout endpoint.

Step 3: Run the web app and API

Follow the steps in Run the web app and API to test your web app and web API.

Next steps

• Secure an Azure API Management API with Azure AD B2C