I would like to authenticate a windows user in NodeJS app.
Is there any add-on for this yet ? There is node-krb5 but it doesn't support windows yet.
Add a comment
|
3 Answers
If you host on IIS with iisnode https://github.com/auth0/passport-windowsauth works nicely! passport-windowsauth comes with an ad integration but if you only want the username in order to implement your own authorzation logic you can do it like this
web.config:
<system.webServer>
<iisnode promoteServerVars="LOGON_USER" />
</system.webServer>
server.js:
var passport = require('passport');
var WindowsStrategy = require('passport-windowsauth');
app.use(passport.initialize());
app.use(passport.session());
passport.serializeUser(function(user, done) {
done(null, user);
});
passport.deserializeUser(function(user, done) {
done(null, user);
});
passport.use(new WindowsStrategy({
integrated: true
}, function(profile,done) {
var user = {
id: profile.id,
};
done(null, user);
}));
app.all("*", passport.authenticate("WindowsAuthentication"), function (request,response,next){
next();
});
then you can access the userid on the request object in your other routes:
app.get("/api/testAuthentication", function(request, response){
console.log(request.user.id + " is authenticated");
});
if you want to implement your own authorization logic using the user id you can define a middleware function like this:
app.get("/api/testAuthorization", hasRole("a role"), function(request, response, next){
console.log(request.user.id " is authenticated and authorized");
});
where hasRole looks like this:
function hasRole(role) {
return function(request,response,next){
//your own authorzation logic
if(role == "a role")
next();
else
response.status(403).send();
}
}
4 Comments
DaNeSh
But when we put node behind IIS, we loose lots of Node benefits!
Nimish goel
I am able to get the response
( request.user.id ) from Url in the browser. but when I am trying to access the same URL, I am getting error Unauthorized error. I know this post is old but if possible, Can you share any example where you have used this kind of thing?
Hiscal
can I use passport-windowsauth without IISNode
node-sspi: found it easy and efficient to use.
Comments
Disclaimer: I am the author of node-expose-sspi.
https://github.com/jlguenego/node-expose-sspi
is dedicated to do SSO on Windows using Kerberos or NTLM. It uses Negotiate and SPNEGO token.
5 Comments
jlguenego
in NTLM yes, but if you use a domain and Kerberos then no popup will appear.
Is it something easily doable only at application level in node.js (how?) or what else does it imply? If you prefer, we can follow up on github. Thank you anyway for your reply!
jlguenego
With Kerberos, your windows account must run on a MS Windows domain server. And the navigator must trust the website url. This is only doable for an intranet application. node-expose-sspi is designed only for this situation. For internet connection authentication, you should use for instance OAuth2.