Source from repo

Azure Prepare

Prepare Azure environments for new workloads—subscriptions, networking, identity, and landing zones

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

165

Skill

n/a

Size

547.0 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/services/app-service/templates/recipes/auth/source/nodejs.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown91 linesFree

references/services/app-service/templates/recipes/auth/source/nodejs.md

1# Auth Recipe — Node.js (Express) — REFERENCE ONLY
2 
3## JWT Validation with jsonwebtoken + jwks-rsa
4 
5### npm Packages
6 
7```bash
8npm install jsonwebtoken jwks-rsa
9```
10 
11### Auth Middleware
12 
13Add `middleware/auth.js`:
14 
15```javascript
16const jwt = require("jsonwebtoken");
17const jwksClient = require("jwks-rsa");
18 
19const client = jwksClient({
20  jwksUri: `https://login.microsoftonline.com/${process.env.AZURE_TENANT_ID}/discovery/v2.0/keys`,
21  cache: true,
22  rateLimit: true,
23});
24 
25// Use APP_ID_URI if set (e.g., "api://<client-id>"); fall back to CLIENT_ID
26const AUDIENCE = process.env.AZURE_APP_ID_URI || process.env.AZURE_CLIENT_ID;
27 
28function authMiddleware(req, res, next) {
29  const token = req.headers.authorization?.split(" ")[1];
30  if (!token) return res.status(401).json({ error: "No token" });
31 
32  const decoded = jwt.decode(token, { complete: true });
33  if (!decoded || !decoded.header || !decoded.header.kid) {
34    return res.status(401).json({ error: "Invalid token" });
35  }
36 
37  client.getSigningKey(decoded.header.kid, (err, key) => {
38    if (err || !key) {
39      return res.status(401).json({ error: "Invalid token" });
40    }
41 
42    jwt.verify(
43      token,
44      key.getPublicKey(),
45      {
46        algorithms: ["RS256"],
47        audience: AUDIENCE,
48        issuer: `https://login.microsoftonline.com/${process.env.AZURE_TENANT_ID}/v2.0`,
49      },
50      (err, payload) => {
51        if (err) return res.status(401).json({ error: "Invalid token" });
52        req.user = payload;
53        next();
54      }
55    );
56  });
57}
58 
59module.exports = { authMiddleware };
60```
61 
62> ⚠️ The `aud` claim in Entra ID tokens is often the Application ID URI (`api://<client-id>`), not the raw client ID. Set `AZURE_APP_ID_URI` in app settings to match your app registration's exposed API URI.
63 
64### Protected Endpoint
65 
66Add to `src/index.js`:
67 
68```javascript
69const { authMiddleware } = require("./middleware/auth");
70 
71app.get("/api/me", authMiddleware, (req, res) => {
72  res.json({ name: req.user?.name, oid: req.user?.oid });
73});
74```
75 
76## App Settings Required
77 
78| Setting | Value |
79|---------|-------|
80| `AZURE_TENANT_ID` | Entra tenant ID |
81| `AZURE_CLIENT_ID` | App registration client ID |
82| `AZURE_APP_ID_URI` | Application ID URI (e.g., `api://<client-id>`) — optional, defaults to CLIENT_ID |
83 
84## Files to Modify
85 
86| File | Action |
87|------|--------|
88| `middleware/auth.js` | Create — JWT validation middleware |
89| `src/index.js` | Modify — add protected routes |
90| `package.json` | Modify — add jsonwebtoken, jwks-rsa |
91

Preparing the source view

Azure Prepare

references/services/app-service/templates/recipes/auth/source/nodejs.md