Merge pull request AzureADQuickStarts#41 from AzureADQuickStarts/derisen

patch sample

Author: derisen

README.md

@@ -1,16 +1,17 @@
 ---
 page_type: sample
 languages:
-  - nodejs 
+  - javascript 
 products:
-  - azure
+  - nodejs
+  - passport-azure-ad
   - azure-active-directory    
 description: "This sample demonstrates how to set up OpenId Connect authentication in a web application built using Node.js with Express."
 ---
 
-# Azure Active Directory OIDC Node.js Web Sample
+# Azure Active Directory OIDC Node.js web app sample
 
-| [Library](https://github.com/AzureAD/passport-azure-ad) | [Docs](https://aka.ms/aadv2) | [Support](README.md#community-help-and-support) | [Protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc)
+| [Library](https://github.com/AzureAD/passport-azure-ad) | [Docs](https://aka.ms/aadv2) | [Support](README.md#community-help-and-support) | [Protocol](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oidc)
 | --- | --- | --- | --- |
 
 This sample demonstrates how to set up OpenId Connect authentication in a web application built using Node.js with Express. The sample is designed to run on any platform.
@@ -21,7 +22,7 @@ To run this sample you will need the following:
 
 * Install Node.js from http://nodejs.org/
 
-* Either a [Microsoft account](https://www.outlook.com) or [Office 365 for business account](https://msdn.microsoft.com/en-us/office/office365/howto/setup-development-environment#bk_Office365Account)
+* Either a [Microsoft account](https://www.outlook.com) or [Office 365 for business account](https://msdn.microsoft.com/office/office365/howto/setup-development-environment#bk_Office365Account)
 
 ## Register the sample
 
@@ -47,9 +48,14 @@ To run this sample you will need the following:
 
 1. In the list of pages for the app, select **Authentication**.
     - In the **Redirect URIs** section, select **Web** in the combo-box and enter the following redirect URI:
-    `http://localhost:3000/auth/openid/return`
-    - In the **Advanced settings** section, set **Logout URL** to `http://localhost:3000`.
-    - In the **Advanced settings > Implicit grant** section, check **ID tokens** as this sample requires the [Implicit grant flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to be enabled to sign-in the user.
+    `http://localhost:3000/auth/openid/return` (:warning:)
+    - In the **Advanced settings > Implicit grant and hybrid flows** section, check **ID tokens** as this sample requires the [hybrid flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to be enabled to sign-in the user.
+    - Select **Save**.
+1. In the list of pages for the app, select **Manifest**.
+    - Find the key `logoutUrl` and replace its value with `http://localhost:3000/logout` (:warning:)
+    - Select **Save**
+
+> :warning: Except on localhost, HTTP schemes are considered insecure and should not be used. In production, you should use HTTPS instead. See for more: [Microsoft identity platform best practices and recommendations](https://docs.microsoft.com/azure/active-directory/develop/identity-platform-integration-checklist#security)
 
 1. Select **Save**.
 
@@ -60,7 +66,6 @@ To run this sample you will need the following:
 
     You'll need this key later to configure the application. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.
 
-
 ## Download the sample application and modules
 
 Next, clone the sample repo and install the NPM modules.
@@ -73,10 +78,9 @@ or
 
 * `$ git clone https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-nodejs.git`
 
-
 From the project root directory, run the command:
 
-* `$ npm install`   
+* `$ npm install`
 
 
 ## Configure the application
@@ -105,16 +109,15 @@ The default session store in this sample is `express-session`. Note that the def
 
 * Run the app using the following command from your command line.
 
-```
-$ node app.js
+```console
+  node app.js
 ```
 
 **Is the server output hard to understand?:** We use `bunyan` for logging in this sample. The console won't make much sense to you unless you also install bunyan and run the server like above but pipe it through the bunyan binary:
 
-```
-$ npm install -g bunyan
-
-$ node app.js | bunyan
+```console
+  npm install -g bunyan
+  node app.js | bunyan
 ```
 
 ### You're done!
@@ -133,15 +136,15 @@ For issues with the passport-azure-ad library, please raise the issue on the lib
 
 If you'd like to contribute to this sample, please follow the [GitHub Fork and Pull request model](https://help.github.com/articles/fork-a-repo/).
 
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.   
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
 
 ## Security Library
 
 This library controls how users sign-in and access services. We recommend you always take the latest version of our library in your app when possible.
 
 ## Security Reporting
 
-If you find a security issue with our libraries or services please report it to [[email protected]](mailto:[email protected]) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://technet.microsoft.com/en-us/security/dd252948) and subscribing to Security Advisory Alerts.
+If you find a security issue with our libraries or services please report it to [[email protected]](mailto:[email protected]) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://technet.microsoft.com/security/dd252948) and subscribing to Security Advisory Alerts.
 
 Copyright (c) Microsoft Corporation.  All rights reserved. Licensed under the MIT License (the "License");
 

app.js

@@ -30,11 +30,11 @@
 var express = require('express');
 var cookieParser = require('cookie-parser');
 var expressSession = require('express-session');
-var bodyParser = require('body-parser');
 var methodOverride = require('method-override');
 var passport = require('passport');
-var util = require('util');
 var bunyan = require('bunyan');
+var morgan = require('morgan');
+
 var config = require('./config');
 
 // set up database for express session
@@ -149,7 +149,7 @@ var app = express();
 
 app.set('views', __dirname + '/views');
 app.set('view engine', 'ejs');
-app.use(express.logger());
+app.use(morgan('dev'));
 app.use(methodOverride());
 app.use(cookieParser());
 
@@ -168,13 +168,12 @@ if (config.useMongoDBSessionStore) {
   app.use(expressSession({ secret: 'keyboard cat', resave: true, saveUninitialized: false }));
 }
 
-app.use(bodyParser.urlencoded({ extended : true }));
+app.use(express.urlencoded({ extended : true }));
 
 // Initialize Passport!  Also use passport.session() middleware, to support
 // persistent login sessions (recommended).
 app.use(passport.initialize());
 app.use(passport.session());
-app.use(app.router);
 app.use(express.static(__dirname + '/../../public'));
 
 //-----------------------------------------------------------------------------
@@ -199,6 +198,7 @@ app.get('/', function(req, res) {
 
 // '/account' is only available to logged in user
 app.get('/account', ensureAuthenticated, function(req, res) {
+  console.log(req.user);
   res.render('account', { user: req.user });
 });
 
@@ -226,7 +226,7 @@ app.get('/auth/openid/return',
   function(req, res, next) {
     passport.authenticate('azuread-openidconnect', 
       { 
-        response: res,                      // required
+        response: res,    // required
         failureRedirect: '/'  
       }
     )(req, res, next);
@@ -244,7 +244,7 @@ app.post('/auth/openid/return',
   function(req, res, next) {
     passport.authenticate('azuread-openidconnect', 
       { 
-        response: res,                      // required
+        response: res,    // required
         failureRedirect: '/'  
       }
     )(req, res, next);

config.js

@@ -10,6 +10,10 @@ exports.creds = {
   // Required, the client ID of your app in AAD  
   clientID: '<your_client_id>',
 
+  // Required if `responseType` is 'code', 'id_token code' or 'code id_token'. 
+  // If app key contains '\', replace it with '\\'.
+  clientSecret: '<your_client_secret>', 
+
   // Required, must be 'code', 'code id_token', 'id_token code' or 'id_token'
   // If you want to get access_token, you must use 'code', 'code id_token' or 'id_token code' 
   responseType: 'code id_token', 
@@ -23,10 +27,6 @@ exports.creds = {
   // Required if we use http for redirectUrl
   allowHttpForRedirectUrl: true,
 
-  // Required if `responseType` is 'code', 'id_token code' or 'code id_token'. 
-  // If app key contains '\', replace it with '\\'.
-  clientSecret: '<your_client_secret>', 
-
   // Required to set to false if you don't want to validate issuer
   validateIssuer: false,