passport-azure-ad 始终重定向到 failureRedirect 但未显示错误（nodejs）

Question

按照本教程，我构建了我的 azure 广告登录以使用图形 api https://docs.microsoft.com/en-us/graph/tutorials/node?tutorial-step=3

来自 azure 的响应看起来对我来说，我找不到任何错误消息，但它总是触发失败重定向，因此它不会继续使用 signInComplete 函数。

我无法弄清楚出了什么问题。有什么提示至少可以让我知道是什么触发了 failureRedirect？

// Callback function called once the sign-in is complete
// and an access token has been obtained
async function signInComplete(iss, sub, profile, accessToken, refreshToken, params, done) {
    logger.debug("signInComplete function called")
    if (!profile.oid) {
        logger.error("No OID found in user profile.")
        return done(new Error("No OID found in user profile."));
    }

    return done(null);
}
// Configure OIDC strategy
passport.use(new OIDCStrategy(
    {
        identityMetadata: `${config.OAUTH_AUTHORITY}${config.OAUTH_ID_METADATA}`,
        clientID: config.OAUTH_APP_ID,
        responseType: 'code id_token',
        responseMode: 'form_post',
        redirectUrl: config.OAUTH_REDIRECT_URI,
        allowHttpForRedirectUrl: true,
        clientSecret: config.OAUTH_APP_PASSWORD,
        validateIssuer: false,
        passReqToCallback: false,
        scope: config.OAUTH_SCOPES.split(' '),
        loggingLevel: 'warn'
    },
    signInComplete
));

office365Signin:  function (req, res, next) {
    passport.authenticate('azuread-openidconnect',
        {
            response: res,
            prompt: 'login',
            failureRedirect: '/',
            failureFlash: true,
            successRedirect: '/'
        }
    )(req,res,next);        
},
office365SigninCallback: function(req, res, next) {
    passport.authenticate('azuread-openidconnect',
      {
        response: res,
        failureRedirect: process.env.FRONTEND_URL+'fail',
        failureFlash: true,
        successRedirect: process.env.FRONTEND_URL
      }
    )(req,res, next);
    //failureRedirect gets always trigger even if the req.body looks correct and no error message is send
    //Therefore we just check the body and trigger next if the body looks correct
    var util = require('util');
    logger.debug("office365SigninCallback res: "+util.inspect(res.req.body));
    if (res.req.body.code && res.req.body.id_token) {
        logger.debug("req.body seems correct there");
    }
},

Logger office365SigninCallback res.req.body 输出：

office365SigninCallback res: { code:   'OAQABAAIAAAAm-06blBE1TpVMil8KPQ41qTM1deUhK_bLgEaGpsiIg5_3sa0ZNEBusd3m4rpBCrXflEsSvEtyjWWzqDhQ_9MybvYdqiR5B2FB59Msd7g8uL5YFcAExrGDqLzYo8xVIaZexHej_K3gDdJFfXbZZsiL6umdepdEXa1pyPIv4S8xVRHPcTyoB80RxpPp97uBCZagR7WstIF0QkfauUxklwlmOygAWjFvIMTuSijkkVZZ-04MbSX6wT3vBwJmQ2-kj6x_W_9fdCbYtdavgR6ZlYKtdiAxVm-3qULweEfvFo8RVC5xV2wdaPKqqYh41lcAq_1NHCiTdUcmmxbk8177WGzabDbH-rM-jRzORamSbLg_0vF48KWqu9zSgiCTX4RW556akFo6pcSkpriJWZH1aVl1cSMTWM64zb9tRM08O7hJ9YyFGTM-n6RpIiA3h9-Xh1E_TEZ8sG0noVId3yN8-gJXZ-pEB7Bur8s5C3DFOOlPgqgdEDj16tM8Wg0RinaL8P1BJ18k_Y_pr-huHMzhKaVCLYCX1Urq8fDomv0UAVchDQNIjdQ5PfiiYIT-0GYYzR5BB_5wGKJgwZypae89RRXpNJw-XOY5dv10jsUk3jEHRXW5xle2HtpM5DgCs6VbuxwVuaJfrRhfNdy7WkoOT3caV-4qTYfpfqwKvX_YtdD15RMpg-BVZQyI8b12meomlHdRi2aiqwqpTfJas0mrE7jHeScQErWx0qWAhvnZS8JJbauJGbXvjCbl2Tcoh19ngaggAA',
  id_token:
   'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkN0VHVoTUptRDVNN0RMZHpEMnYyeDNRS1NSWSJ9.eyJhdWQiOiI1YTYxYTMwZC00MTAyLTQwMGUtYTVmNS05NDJlYzAxNDE3ODciLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZTFkMDE4YTktOWRlZC00Yjg4LTllYTItNDJkYTAwY2Q1ZjVhL3YyLjAiLCJpYrRVl4UHJjRk9aVk5tX1N6UHNyX0ZrIiwib2lkIjoiZXQiOjE1ODk4ODA3MTIsIm5iZiI6MTU4OTg4MDcxMiwiZXhwIjoxNTg5ODg0NjEyLCJhaW8iOiJBVFFBeS84UEFBQUEzb0dsSkdWK1dYYlE0elZJNHZic2ZnejZvUWZqYy9XUkNtS1QrYlRORHVjM2dYdll4L3F4OTdEMm5VeTRUUUxNIiwiY19oYXNoIjoiU1k4alM1ZjlxMkg4TU9oSmVIcjNhQSIsIm5hbWUiOiJUaW0gU3RlaW4iLCJub25jZSI6IkZfWjctTmpGSU5jgyYWRkNGMtOGM2MS00YjYxLWJmYWItZmQzNmE2YzY0MjY5IiwicHJlZmVycmVkX3VzZXJuYW1lIjoidHN0ZWluQFZBTlRBLklPIiwic3ViIjoiZ3Q3RExJZ1Y0MEJDZlRxRXhhSlM5Z09qcjhlRWU3TFF0cTJLQk9yNThmbyIsInRpZCI6ImUxZDAxOGE5LTlkZWQtNGI4OC05ZWEyLTQyZGEwMGNkNWY1YSIsInV0aSI6IjlyRHBOM0hBLTAtU3Y2T25XWmpVQUEiLCJ2ZXIiOiIyLjAifQ.uCG5x4cesT2925Kr_lXloYWxgIsPfsRX2FKd4t8ASDeQXg9PdvjTsTvnzzBqFDtW77obSX7bO75a-0XjA9TIh4-kMTgJWm8PlnHCWaHRQgfNlTmjp99oUf0msZx6OhyZ0-xFMMe6DTShFfBhHjF2ds17zw-oynv6PaygSox4s94qvL2e8ULi2wfpm4AYQwxXeUQba9dhoQu8AsCozY-6NyWIGc2alzg7TK5qBpuY16BScGsUkmChGFZ9lF9vD-uM8x0JYg0G6Uvc_aDNIWnt9B7VRH-U9sIFXtL9doaJXvRl2aPQnj6x0rtfgfJ4zonrJZQEn7e8y7XPIcnU0gMO9g',
  state: 'GNy7cIjlBvfga4FhQiapnWnDAn8itXtk',
  session_state: 'c88bace3-4039-9922-6f06-dcd6ba1a62ac' }

根据文档，我的回复看起来是正确的： https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Answer 1

我直接从我的一个生产项目中获取此代码。我之前也遇到过类似的问题，但是当我们出于某种原因调整 done 回调时，它会自行解决。

也许这可以作为一个例子。

Passport.js

'use strict';
//Dependencies
const passport = require('passport');
const OIDCStrategy = require('passport-azure-ad').OIDCStrategy;

//Custom Modules
const msService = require('./msService');
const DB_Connection = require('../dbConnection');


//DB Setting
require('../models/MS_User');
const User_DB = DB_Connection.model('user');

//Winston Logger
const logger = require('../log');
const passLog = logger.get('passportLog');

//Azure AD Creds
const loginCredentials = require('../creds/oicdCreds');

// Session
//Take in outlook id => keep the session data small
passport.serializeUser((outlookid, done) => {
    done(null, outlookid);
});
//Deserialize when needed by querying the DB for full user details
passport.deserializeUser((outlookid, done) => {
    User_DB.findOne({ outlookId: outlookid })
        .then(user => {
            done(null, user);
        })
        .catch(err => passLog.error(`Error Deserializing User: ${outlookid}:` + ' ' + err));
});

//Export the passport module
module.exports = (passport) => {
    //OpenIdConnect
    passport.use(new OIDCStrategy(loginCredentials,
        //Verify callback for passReqToCallback: false
        (iss, sub, profile, access_token, refresh_token, params, done) => {
            //Get Calendar ID
            msService.getCalId(access_token, calId => {
                //Create or update the user
                User_DB.findOneAndUpdate({ outlookId: profile.oid }, {
                    name: profile.displayName,
                    outlookId: profile.oid,
                    email: profile._json.email,
                    lastLogin: profile._json.ipaddr,
                    accessToken: access_token,
                    calId: calId

                }, { upsert: true, returnNewDocument: false })
                    .catch(err => passLog.error(`Error Adding / Rnewing User: ${profile.oid}:` + ' ' + err));
                //Return Profile ID for Serialization
                done(null, profile.oid);
            });
        }));
};

路线

//AD OpenIdConenct
//Login
router.get('/auth/outlook/login',
    //Using MS Azure OpenId Connect strategy (passport)
    passport.authenticate('azuread-openidconnect')
);

//Callback Handling
//Using MS Azure OpenId Connect strategy (passport)
router.post('/auth/outlook/callback', passport.authenticate('azuread-openidconnect', { failureRedirect: '/auth/outlook/login' }), (req, res) => {
    //Redis
    client.keys('*', (err, keys) => {
        sessionLog.info(`Login Active Session: ${keys.length}`);
    });
    res.redirect('/profile_info');
}

);

Answer 2

如果你在 google 中遇到这个问题，我遇到了同样的错误，结果证明我使用的是 Azure Secret ID，而不是 Secret Value

将loggingNoPII: false 添加到您的 OIDC 策略中，这将打印出任何错误。