1

I am working on an application where the front end is VueJS and the backend is NodeJS and ExpressJS.

The NodeJS, ExpressJS will be hosting REST API's and I want to secure them using Azure AD. I want to use Auth Code flow.

My question is: I have put my thoughts in the diagram, is this the right approach?

enter image description here

Improve this question

1 Answer 1

Reset to default
1
+50

This approach looks good to me. I am thinking of it as an advanced version of something like JWT (https://jwt.io/) based authentication. Please see the steps below for JWT:

  1. The client requests authentication by providing credentials.
  2. The server provides the client with the token that is encrypted using the private key present in the server.
  3. The JWT is stored in client's session and is sent to the server anytime the client requests something from it requiring authentication.
  4. The server then decrypts the token using the public/private key and sends the response back to the client.
  5. A session is validated at this point.

With the architecture you have described above, it does the exact same thing except the means to encrypt (generate) and decrypt (verify) the token exists with Azure AD. Below are the steps for achieving authentication based on your architecture:

  1. The client requests authentication by providing credentials.
  2. The Azure AD server does a 2FA kind of thing but in the end provides the token (equivalent to JWT in the previous approach).
  3. The token is stored in client's session and is sent to the application backend server anytime the client requests something from it requiring authentication.
  4. The backend server uses Azure AD for verifying the token (similar to the decryption/verification step of JWT) and sends the response back to the client.
  5. A session is validated at this point.

I would suggest a small change to this though. If you look at the step 4 above. The application server will keep hitting Azure AD every time it needs to authenticate the session. If you could add an actual JWT for this phase, it may help in avoiding these redundant calls to Azure.

So the steps described above for JWT may be added after the 4th step for Azure AD described above i.e. create a JWT and store it in clients session once everything is verified from Azure and then keep using JWT based authentication in the future for current session.

If required, JWT can be stored in the browser cookies and calls to Azure AD can totally be avoided for a specific period. However, our objective here is not to decrease load on Azure AD server but just suggesting a way of using JWT in this specific situation.

I hope it helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.