I am building an nodejs server and i decided to perform authentication via active directory.
So my first question: is it possible with nodejs? If so, could someone please direct me towards a relevant article/documentation/plugin?
My second question is about the authentication itself. My server is restful so i basically have to give some form of identification every time i request something from the server.
I though about the next flow:
At the login page in the client, i send username and password to the server.
At the server i authenticate with active directory using the credentials that the client have sent.
Once i receive a response from active directory, i check if it is a valid response and if the login was successful, i also check if the user have proper permissions in active directory to use my services.
Once all that is validated, i create a token for the user. Every request from the client would have to contain a valid token.
This seems like the most standard way to approach this problem, it is much more simple and secure than sending the username/password with each request and authenticate with active direction every time.
However some thing bother me.
For example: What if the system administrator decides to remove a user from active directory or remove his permissions to use my services? That user still have a token that allows him to access my services.
I could set an expiry to the token, but unless that expiry is one second, the server won't be really at sync with the active directories.
Do you think that tokens is the way to go with this problem? Or should i just do it by sending username and password each request?
Another way is to give a token to the client but on the server, associate that token with active directories username and password. Every request, the server would authenticate with active directory? Is this a good way to go?
Thanks, Arik
