passport-entra 0.0.1

package/dist/passport-entra.d.ts

@@ -0,0 +1,39 @@
+import { Strategy } from 'passport';
+import { createRemoteJWKSet } from 'jose';
+import type { Request } from 'express';
+export interface OauthBearerOptions {
+    audience?: string | string[];
+    clientID: string;
+    clockSkew?: string | number;
+    identityMetadata: string;
+    issuer: string | string[];
+    scope?: string[];
+}
+type VerifyCallback = (token: object, done: AuthenticateCallback) => void;
+export type AuthenticateCallback = (err: unknown, user?: Express.User | false | null, info?: object, status?: number | number[]) => void;
+/**
+ * Bearerstrategy for password.js, used with Microsoft Entra as identity provider
+ */
+export default class BearerStrategy extends Strategy {
+    /** aud claim check  */
+    audience: string[];
+    /** clientID to check */
+    clientID: string;
+    /** clockSkew allowed when checking nbf and exp */
+    clockSkew: string | number;
+    /** well known oid-configuration endpoint */
+    identityMetadata: string;
+    /** iss claim check */
+    issuer: string | string[];
+    /** strategy name */
+    name: string;
+    /** scp claim check */
+    scope: string[];
+    /** call this function to get the user belonging to the token */
+    verifyFn: VerifyCallback;
+    /** cached JWK set from well known oid-configuration endpoint */
+    jwks: ReturnType<typeof createRemoteJWKSet> | undefined;
+    constructor(options: OauthBearerOptions, verifyFn: VerifyCallback);
+    authenticate(req: Request): Promise<void>;
+}
+export {};

package/dist/passport-entra.js

@@ -0,0 +1,82 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const passport_1 = require("passport");
+const jose_1 = require("jose");
+/**
+ * Bearerstrategy for password.js, used with Microsoft Entra as identity provider
+ */
+class BearerStrategy extends passport_1.Strategy {
+    constructor(options, verifyFn) {
+        var _a, _b, _c;
+        super();
+        /** strategy name */
+        this.name = 'oauth-bearer';
+        this.verifyFn = verifyFn;
+        let audience = (_a = options.audience) !== null && _a !== void 0 ? _a : options.clientID;
+        if (typeof audience === 'string') {
+            audience = [audience, `spn:${audience}`];
+        }
+        this.audience = audience;
+        this.clientID = options.clientID;
+        this.clockSkew = (_b = options.clockSkew) !== null && _b !== void 0 ? _b : 300;
+        this.identityMetadata = options.identityMetadata;
+        this.issuer = options.issuer;
+        this.scope = (_c = options.scope) !== null && _c !== void 0 ? _c : [];
+    }
+    authenticate(req) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            try {
+                if (!this.jwks) {
+                    const res = yield fetch(this.identityMetadata);
+                    if (!res.ok) {
+                        throw new Error(`Error ${String(res.status)} when querying identity metadata`);
+                    }
+                    // eslint-disable-next-line @typescript-eslint/naming-convention
+                    const { jwks_uri } = yield res.json();
+                    this.jwks = (0, jose_1.createRemoteJWKSet)(new URL(jwks_uri));
+                }
+                const header = req.get('authorization');
+                const headerParts = header === null || header === void 0 ? void 0 : header.split(' ');
+                const jwt = (headerParts === null || headerParts === void 0 ? void 0 : headerParts.length) === 2 && headerParts[0].toLowerCase() === 'bearer' && headerParts[1];
+                if (!jwt) {
+                    throw new Error('Unable to extract Bearer token from Authorization header');
+                }
+                const { payload } = yield (0, jose_1.jwtVerify)(jwt, this.jwks, {
+                    audience: this.audience, // aud
+                    clockTolerance: this.clockSkew, // exp, nbf
+                    issuer: this.issuer, // iss
+                });
+                // console.log(JSON.stringify(payload, null, 2));
+                const scp = String((_a = payload.scp) !== null && _a !== void 0 ? _a : ''); // scp
+                if (this.scope.length > 0
+                    && !this.scope.some((scope) => scp.includes(scope))) {
+                    throw new Error('Scope does not match scp claim');
+                }
+                this.verifyFn(payload, (err, user, info) => {
+                    if (err) {
+                        throw err;
+                    }
+                    if (!user) {
+                        throw new Error('No user found');
+                    }
+                    this.success(user, info);
+                });
+            }
+            catch (error) {
+                const message = JSON.stringify(error);
+                this.fail(message);
+            }
+        });
+    }
+}
+exports.default = BearerStrategy;

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "passport-entra",
+  "version": "0.0.1",
+  "description": "Microft Entra authentication strategy for passport",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "Jan Bakker",
+  "license": "ISC",
+  "dependencies": {
+    "jose": "^6.0.11",
+    "passport": "^0.7.0",
+    "typescript": "^5.8.3"
+  },
+  "devDependencies": {
+    "@types/passport": "^1.0.17"
+  }
+}

package/passport-entra.ts

@@ -0,0 +1,117 @@
+import { Strategy } from 'passport';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+
+import type { Request } from 'express';
+
+export interface OauthBearerOptions {
+  audience?: string | string[];
+  clientID: string;
+  clockSkew?: string | number;
+  identityMetadata: string;
+  issuer: string | string[];
+  scope?: string[];
+}
+
+type VerifyCallback = (token: object, done: AuthenticateCallback) => void;
+
+export type AuthenticateCallback = (
+  err: unknown,
+  user?: Express.User | false | null,
+  info?: object,
+  status?: number | number[]
+) => void;
+
+/**
+ * Bearerstrategy for password.js, used with Microsoft Entra as identity provider
+ */
+export default class BearerStrategy extends Strategy {
+  /** aud claim check  */
+  audience;
+
+  /** clientID to check */
+  clientID;
+
+  /** clockSkew allowed when checking nbf and exp */
+  clockSkew;
+
+  /** well known oid-configuration endpoint */
+  identityMetadata: string;
+
+  /** iss claim check */
+  issuer;
+
+  /** strategy name */
+  name = 'oauth-bearer';
+
+  /** scp claim check */
+  scope;
+
+  /** call this function to get the user belonging to the token */
+  verifyFn;
+
+  /** cached JWK set from well known oid-configuration endpoint */
+  jwks: ReturnType<typeof createRemoteJWKSet> | undefined;
+
+  constructor(options: OauthBearerOptions, verifyFn: VerifyCallback) {
+    super();
+
+    this.verifyFn = verifyFn;
+
+    let audience = options.audience ?? options.clientID;
+    if (typeof audience === 'string') {
+      audience = [audience, `spn:${audience}`];
+    }
+    this.audience = audience;
+
+    this.clientID = options.clientID;
+    this.clockSkew = options.clockSkew ?? 300;
+    this.identityMetadata = options.identityMetadata;
+    this.issuer = options.issuer;
+    this.scope = options.scope ?? [];
+  }
+
+  async authenticate(req: Request) {
+    try {
+      if (!this.jwks) {
+        const res = await fetch(this.identityMetadata);
+        if (!res.ok) {
+          throw new Error(`Error ${String(res.status)} when querying identity metadata`);
+        }
+        // eslint-disable-next-line @typescript-eslint/naming-convention
+        const { jwks_uri } = await res.json() as { jwks_uri: string };
+        this.jwks = createRemoteJWKSet(new URL(jwks_uri));
+      }
+      const header = req.get('authorization');
+      const headerParts = header?.split(' ');
+      const jwt = headerParts?.length === 2 && headerParts[0].toLowerCase() === 'bearer' && headerParts[1];
+      if (!jwt) {
+        throw new Error('Unable to extract Bearer token from Authorization header');
+      }
+      const { payload } = await jwtVerify(jwt, this.jwks, {
+        audience: this.audience, // aud
+        clockTolerance: this.clockSkew, // exp, nbf
+        issuer: this.issuer, // iss
+      });
+      // console.log(JSON.stringify(payload, null, 2));
+
+      const scp = String(payload.scp ?? ''); // scp
+      if (this.scope.length > 0
+        && !this.scope.some((scope) => scp.includes(scope))) {
+        throw new Error('Scope does not match scp claim');
+      }
+
+      this.verifyFn(payload, (err: unknown, user: unknown, info?: object) => {
+        if (err) {
+          throw err as Error;
+        }
+        if (!user) {
+          throw new Error('No user found');
+        }
+        this.success(user, info);
+      });
+    } catch (error) {
+      const message = JSON.stringify(error);
+      this.fail(message);
+    }
+  }
+}

package/tsconfig.json

@@ -0,0 +1,18 @@
+{
+  "compilerOptions": {
+    "declaration": true,
+    "outDir": "dist",
+
+    "target": "es2016",
+    "module": "commonjs",
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+
+    "strict": true,
+    "skipLibCheck": true
+  },
+  "exclude": [
+    "node_modules",
+    "dist"
+  ]
+}