Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • copy azure-config.example and rename file to azure-config.js.

    Code Block
    const config = {
        path: '/login',
        	clientID: '87f210d2-d3af-43dd-ba98-07adaff3e791',
        tenant: '24981a26-eb7a-4f13-95d4-66827d36dec8',
        authorityUrl: '',
        	resource: '00000002-0000-0000-c000-000000000000',
        	clientSecret: 'xxxxxxxxxxxxxx3rZp6?=a72FNp_CgOqOS?EQphp_e0[=5',
        	identityMetadata: '',
        	responseType: 'code', 
       	responseMode: 'form_post', 
        	redirectUrl: '', 
        	allowHttpForRedirectUrl: false,
        	validateIssuer: false,
        	issuer: null,
        	passReqToCallback: false,
        useCookieInsteadOfSession: false,
        cookieEncryptionKeys: [ 
        	loggingLevel: 'warnerror',
        loggingNoPII: true,
        	nonceLifetime: null,
        	nonceMaxAmount: 5,
        	clockSkew: null

Options for the Active Directory configuration file

  • path : path for login authentication, '/login' will setup a new http route at 'auth/azure/login' for authentication
  • clientID : the clientID key required for the login. This will be automatically placed in the login request as a form paramenter
  • tenant : the tenant id required for the login. This will be automatically placed in the login request as a form paramenter
  • authorityUrl :  the authority url, usually is
  • resource : your app id uriresource : your app id uri
  • clientSecret : When responseType is not id_token, we have to provide client credential to redeem the authorization code.
  • identityMetadata : The metadata endpoint provided by the Microsoft Identity Portal that provides the keys and other important information at runtime.
  • responseType : Must be 'code', 'code id_token', 'id_token code' or 'id_token'. For login only flows you can use 'id_token'; if you want access_token, use 'code', 'code id_token' or 'id_token code'.
  • responseMode : Must be 'query' or 'form_post'. This is how you get code or id_token back. 'form_post' is recommended for all scenarios.
  • redirectUrl : Must be a https url string, unless you set allowHttpForRedirectUrl to true. This is the reply URL registered in AAD for your app. Production environment should always use https for redirectUrl.
  • allowHttpForRedirectUrl : Required to set to true if you want to use http url for redirectUrl like http://localhost:3000.
  • validateIssuer : Required to set to false if you don't want to validate issuer, default value is true. We validate the iss claim in id_token against user provided issuer values and the issuer value we get from tenant-specific endpoint. If you use common endpoint for identityMetadata and you want to validate issuer, then you have to either provide issuer, or provide the tenant for each login request using tenantIdOrName option in passport.authenticate
  • issuer : This can be a string or an array of strings. See validateIssuer for the situation that requires issuer.
  • passReqToCallback : Required to set to true if using req as the first paramter in the verify function, default value is false. See section for more details.
  • loggingLevel : Logging level. 'info', 'warn' or 'error'.
  • nonceLifetime : The lifetime of nonce in session in seconds. The default value is 3600 seconds.
  • nonceMaxAmount : The max amount of nonce you want to keep in session or cookies. The default number is 10.
  • clockSkew : This value is the clock skew (in seconds) allowed in token validation. It must be a positive integer. The default value is 300 seconds.


In the PASOE config file, the configuration required for setting the generic login screen and azure authentication
