Skip to content

README.md

Latest commit

 

History

History
320 lines (228 loc) · 23 KB

README.md

File metadata and controls

320 lines (228 loc) · 23 KB

Node.js & Express web app using Security Groups to implement Role-Based Access Control

  1. Overview
  2. Scenario
  3. Contents
  4. Prerequisites
  5. Setup
  6. Registration
  7. Running the sample
  8. Explore the sample
  9. About the code
  10. More information
  11. Community Help and Support
  12. Contributing

Overview

This sample demonstrates a Node.js & Express web app featuring a todo list and secured with the Microsoft Authentication Library for Node.js (MSAL Node). The app implements Role-based Access Control (RBAC) by using Azure AD Security Groups. In the sample, users in TaskUser role can perform CRUD operations on their todolist, while users in TaskAdmin role can see all other users' tasks.

Access control in Azure AD can be done with App Roles as well, as we covered in the previous tutorial. Security Groups and App Roles in Azure AD are by no means mutually exclusive - they can be used in tandem to provide even finer grained access control.

ℹ️ Check out the recorded session on this topic: An introduction to Microsoft Graph for developers

Scenario

  1. The client application uses MSAL Node (via msal-express-wrapper) to sign-in a user and obtain an ID Token from Azure AD.
  2. The ID Token contains the groups claim that is used to control access to protected routes.

Overview

Contents

File/folder Description
AppCreationScripts/ Contains Powershell scripts to automate app registration.
ReadmeFiles/ Contains illustrations and screenshots.
App/appSettings.json Authentication parameters and settings.
App/data/cache.json Stores MSAL Node token cache data.
App/data/db.json Stores todo list data.
App/app.js Application entry point.

Prerequisites

  • Node.js must be installed to run this sample.
  • Visual Studio Code is recommended for running and editing this sample.
  • VS Code Azure Tools extension is recommended for interacting with Azure through VS Code Interface.
  • A modern web browser. This sample uses ES6 conventions and will not run on Internet Explorer.
  • An Azure AD tenant. For more information, see: How to get an Azure AD tenant
  • A user account in your Azure AD tenant. This sample will not work with a personal Microsoft account. If you're signed in to the Azure portal with a personal Microsoft account and have not created a user account in your directory before, you will need to create one before proceeding.

Setup

Step 1: Clone or download this repository

From your shell or command line:

    git clone https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial.git

or download and extract the repository .zip file.

⚠️ To avoid path length limitations on Windows, we recommend cloning into a directory near the root of your drive.

Step 2: Install project dependencies

    cd 4-AccessControl/2-security-groups/App
    npm install

Registration

There is one project in this sample. To register it, you can:

  • follow the steps below for manually register your apps
  • or use PowerShell scripts that:
    • automatically creates the Azure AD applications and related objects (passwords, permissions, dependencies) for you.
    • modify the projects' configuration files.
Expand this section if you want to use this automation:

⚠️ If you have never used Azure AD Powershell before, we recommend you go through the App Creation Scripts once to ensure that your environment is prepared correctly for this step.

  1. On Windows, run PowerShell as Administrator and navigate to the root of the cloned directory

  2. If you have never used Azure AD Powershell before, we recommend you go through the App Creation Scripts once to ensure that your environment is prepared correctly for this step.

  3. In PowerShell run:

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force

  4. Run the script to create your Azure AD application and configure the code of the sample application accordingly.

  5. In PowerShell run:

    cd .\AppCreationScripts\
.\Configure.ps1

    Other ways of running the scripts are described in App Creation Scripts The scripts also provide a guide to automated application registration, configuration and removal which can help in your CI/CD scenarios.

Choose the Azure AD tenant where you want to create your applications

  1. Sign in to the Azure portal.
  2. If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory to change your portal session to the desired Azure AD tenant.

Register the client app (msal-node-webapp)

  1. Navigate to the Azure portal and select the Azure AD service.
  2. Select the App Registrations blade on the left, then select New registration.
  3. In the Register an application page that appears, enter your application's registration information:
    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example msal-node-webapp.
    • Under Supported account types, select Accounts in this organizational directory only.
    • In the Redirect URI (optional) section, select Web in the combo-box and enter the following redirect URI: http://localhost:4000/redirect.
  4. Select Register to create the application.
  5. In the app's registration screen, find and note the Application (client) ID. You use this value in your app's configuration file(s) later in your code.
  6. Select Save to save your changes.
  7. In the app's registration screen, select the Certificates & secrets blade in the left to open the page where you can generate secrets and upload certificates.
  8. In the Client secrets section, select New client secret:
    • Type a key description (for instance app secret),
    • Select one of the available key durations (6 months, 12 months or Custom) as per your security posture.
    • The generated key value will be displayed when you select the Add button. Copy and save the generated value for use in later steps.
    • You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Azure portal before navigating to any other screen or blade.
  9. In the app's registration screen, select the API permissions blade in the left to open the page where we add access to the APIs that your application needs.
    • Select the Add a permission button and then,
    • Ensure that the Microsoft APIs tab is selected.
    • In the Commonly used Microsoft APIs section, select Microsoft Graph
    • In the Delegated permissions section, select the User.Read, GroupMember.Read.All in the list. Use the search box if necessary.
    • Select the Add permissions button at the bottom.
    • Finally, grant admin consent for these scopes (required to handle the overage scenario)

Configure the client app (msal-node-webapp) to use your app registration

Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

  1. Open the App\appSettings.js file.
  2. Find the key clientId and replace the existing value with the application ID (clientId) of msal-node-webapp app copied from the Azure portal.
  3. Find the key tenantId and replace the existing value with your Azure AD tenant ID.
  4. Find the key clientSecret and replace the existing value with the key you saved during the creation of msal-node-webapp copied from the Azure portal.
  5. Find the key redirect and replace the existing value with the redirect URI for msal-node-webapp. (by default http://localhost:4000/redirect).

Create Security Groups

  1. Navigate to the Azure portal and select the Azure AD service.
  2. Select Groups blade on the left.
  3. In the Groups blade, select New Group.
    • For Group Type, select Security
    • For Group Name, enter GroupAdmin
    • For Group Description, enter Admin Security Group
    • Add Group Owners and Group Members as you see fit.
    • Select Create.
  4. In the Groups blade, select New Group.
    • For Group Type, select Security
    • For Group Name, enter GroupMember
    • For Group Description, enter User Security Group
    • Add Group Owners and Group Members as you see fit.
    • Select Create.

For more information, visit: Create a basic group and add members using Azure AD

Configure Security Groups

You have two different options available to you on how you can further configure your application to receive the groups claim.

  1. Receive all the groups that the signed-in user is assigned to in an Azure AD tenant, included nested groups.
  2. Receive the groups claim values from a filtered set of groups that your application is programmed to work with (Not available in the Azure AD Free edition).

To get the on-premise group's samAccountName or On Premises Group Security Identifier instead of Group ID, please refer to the document Configure group claims for applications with Azure Active Directory.

Configure your application to receive all the groups the signed-in user is assigned to, including nested groups

  1. In the app's registration screen, select the Token Configuration blade in the left to open the page where you can configure the claims provided tokens issued to your application.
  2. Select the Add groups claim button on top to open the Edit Groups Claim screen.
  3. Select Security groups or the All groups (includes distribution lists but not groups assigned to the application) option. Choosing both negates the effect of Security Groups option.
  4. Under the ID section, select Group ID. This will result in Azure AD sending the object id of the groups the user is assigned to in the groups claim of the ID Token that your app receives after signing-in a user.

Configure your application to receive the groups claim values from a filtered set of groups a user may be assigned to

Prerequisites, benefits and limitations of using this option
  1. This option is useful when your application is interested in a selected set of groups that a signing-in user may be assigned to and not every security group this user is assigned to in the tenant. This option also saves your application from running into the overage issue.
  2. This feature is not available in the Azure AD Free edition.
  3. Nested group assignments are not available when this option is utilized.
Steps to enable this option in your app
  1. In the app's registration screen, select the Token Configuration blade in the left to open the page where you can configure the claims provided tokens issued to your application.
  2. Select the Add groups claim button on top to open the Edit Groups Claim screen.
  3. Select Groups assigned to the application.
    1. Choosing additional options like Security Groups or All groups (includes distribution lists but not groups assigned to the application) will negate the benefits your app derives from choosing to use this option.
  4. Under the ID section, select Group ID. This will result in Azure AD sending the object id of the groups the user is assigned to in the groups claim of the ID Token that your app receives after signing-in a user.
  5. If you are exposing a Web API using the Expose an API option, then you can also choose the Group ID option under the Access section. This will result in Azure AD sending the Object ID of the groups the user is assigned to in the groups claim of the Access Token issued to the client applications of your API.
  6. In the app's registration screen, select on the Overview blade in the left to open the Application overview screen. Select the hyperlink with the name of your application in Managed application in local directory (note this field title can be truncated for instance Managed application in ...). When you select this link you will navigate to the Enterprise Application Overview page associated with the service principal for your application in the tenant where you created it. You can navigate back to the app registration page by using the back button of your browser.
  7. Select the Users and groups blade in the left to open the page where you can assign users and groups to your application.
    1. Select the Add user button on the top row.
    2. Select User and Groups from the resultant screen.
    3. Choose the groups that you want to assign to this application.
    4. Click Select in the bottom to finish selecting the groups.
    5. Select Assign to finish the group assignment process.
    6. Your application will now receive these selected groups in the groups claim when a user signing in to your app is a member of one or more these assigned groups.
  8. Select the Properties blade in the left to open the page that lists the basic properties of your application.Set the User assignment required? flag to Yes.

💡 Important security tip

When you set User assignment required? to Yes, Azure AD will check that only users assigned to your application in the Users and groups blade are able to sign-in to your app. You can assign users directly or by assigning security groups they belong to.

Running the sample

    cd 4-AccessControl/1-security-groups/App
    npm start

Explore the sample

  1. Open your browser and navigate to http://localhost:4000.
  2. Sign-in using the button on top-right.
  3. Click on the TodoList button to access your (the signed-in user's) todo list.
  4. If the signed-in user has the right privileges (i.e. in the right "role"), click on the Dashboard button to access every users' todo list.
  5. If the signed-in user does not have the right privileges, clicking on the Dashboard will give an error.

ℹ️ Did the sample not work for you as expected? Then please reach out to us using the GitHub Issues page.

We'd love your feedback!

Were we successful in addressing your learning objective? Consider taking a moment to share your experience with us.

About the code

Implementing role-based access control

In appSettings.js, we create an access matrix that defines the required roles and allowed HTTP methods for each route that we like to grant role-based access:

{    
    "accessMatrix": {
        "todolist": {
            "methods": ["GET", "POST", "DELETE"],
            "groups": ["219823", "21222"]
        },
        "dashboard": {
            "methods": ["GET"],
            "groups": ["219823"]
        }
    }
}

Then, in router.js, we create an instance of the AuthProvider class with the appSettings.json passed in constructor. The authProvider object exposes the middleware we can use to protect our app routes:



Under the hood, msal-express-wrapper hasAccess middleware checks the signed-in user's ID token's roles claim to determine whether she has access to this route given the access matrix provided in appSettings.json:




The Groups Overage Claim


To ensure that the token size doesn’t exceed HTTP header size limits, the Microsoft Identity Platform limits the number of object Ids that it includes in the groups claim.


If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens, 6 for single-page applications), then the Microsoft identity platform does not emit the group IDs in the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the MS Graph API to retrieve the user’s group membership.




We strongly advise you use the group filtering feature (if possible) to avoid running into group overages.




Create the Overage Scenario for testing


    

  1. You can use the BulkCreateGroups.ps1 provided in the App Creation Scripts folder to create a large number of groups and assign users to them. This will help test overage scenarios during development. Remember to change the user's objectId provided in the BulkCreateGroups.ps1 script.
    2. 



When attending to overage scenarios, which requires a call to Microsoft Graph to read the signed-in user's group memberships, your app will need to have the User.Read and GroupMember.Read.All for the getMemberGroups function to execute successfully.




⚠️ For the overage scenario, make sure you have granted Admin Consent for the MS Graph API's GroupMember.Read.All scope (see the App Registration steps above).




More information


Configure your application:



Learn more about the Microsoft identity platform:



For more information about how OAuth 2.0 protocols work in this scenario and other scenarios, see Authentication Scenarios for Azure AD.


Community Help and Support


Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [azure-active-directory nodejs ms-identity adal msal].


If you find a bug in the sample, raise the issue on GitHub Issues.


To provide feedback on or suggest features for Azure Active Directory, visit User Voice page.


Contributing


If you'd like to contribute to this sample, see CONTRIBUTING.MD.


This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.