From 2681817dbe052e9740fecd7ec5b47951bcc283d3 Mon Sep 17 00:00:00 2001 From: Brandon Werner Date: Wed, 25 May 2016 14:23:22 -0700 Subject: [PATCH 1/3] Update README.md with security header --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 29b017f..64ed97d 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,10 @@ We leverage [Stack Overflow](http://stackoverflow.com/) to work with the communi We recommend you use the "adal" tag so we can see it! Here is the latest Q&A on Stack Overflow for ADAL: [http://stackoverflow.com/questions/tagged/adal](http://stackoverflow.com/questions/tagged/adal) +## Security Reporting + +If you find a security issue with our libraries or services please report it to [secure@microsoft.com](mailto:secure@microsoft.com) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://technet.microsoft.com/en-us/security/dd252948) and subscribing to Security Advisory Alerts. + ## Contributing All code is licensed under the Apache 2.0 license and we triage actively on GitHub. We enthusiastically welcome contributions and feedback. You can clone the repo and start contributing now. From 15da9cfd225fb63cfc7f65d14bd9780b14629498 Mon Sep 17 00:00:00 2001 From: Kanishk Panwar Date: Wed, 15 Jun 2016 16:54:51 -0700 Subject: [PATCH 2/3] add support for resource owner grant flow for ADFS --- lib/authority.js | 4 ++-- lib/token-request.js | 22 +++++++++++++++------- test/username-password.js | 25 ++++++++++++++++++++++--- 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/lib/authority.js b/lib/authority.js index d990cbf..3742f63 100644 --- a/lib/authority.js +++ b/lib/authority.js @@ -42,7 +42,6 @@ function Authority(authorityUrl, validateAuthority) { this._validateAuthorityUrl(); this._validated = !validateAuthority; - this._host = null; this._tenant = null; this._parseAuthority(); @@ -50,6 +49,7 @@ function Authority(authorityUrl, validateAuthority) { this._authorizationEndpoint = null; this._tokenEndpoint = null; this._deviceCodeEndpoint = null; + this._isAdfsAuthority = (this._tenant.toLowerCase() === "adfs"); } /** @@ -233,7 +233,7 @@ Authority.prototype._getOAuthEndpoints = function(tenantDiscoveryEndpoint, callb if (!this._deviceCodeEndpoint){ this._deviceCodeEndpoint = url.format(this._url) + AADConstants.DEVICE_ENDPOINT_PATH; } - + callback(); return; } diff --git a/lib/token-request.js b/lib/token-request.js index 9e01705..2f13924 100644 --- a/lib/token-request.js +++ b/lib/token-request.js @@ -164,8 +164,8 @@ TokenRequest.prototype._getTokenWithCacheWrapper = function(callback, getTokenFu }; /** - * Store token into cache. - * @param {object} tokenResponse Token response to be added into the cache. + * Store token into cache. + * @param {object} tokenResponse Token response to be added into the cache. */ TokenRequest.prototype._addTokenIntoCache = function(tokenResponse, callback) { this._cacheDriver = this._createCacheDriver(); @@ -275,7 +275,7 @@ TokenRequest.prototype._performWSTrustAssertionOAuthExchange = function(wstrustR /** * Exchange a username and password for a SAML token from an ADFS instance via WSTrust. * @param {string} wstrustEndpoint An url of an ADFS WSTrust endpoint. - * @param {string} wstrustEndpointVersion The version of the wstrust endpoint. + * @param {string} wstrustEndpointVersion The version of the wstrust endpoint. * @param {string} username username * @param {string} password password * @param {AcquireTokenCallback} callback callback @@ -379,19 +379,19 @@ TokenRequest.prototype._getTokenUsernamePasswordFederated = function(username, p * Gets wstrust endpoint version from the federation active auth url. * @private * @param {string} federationActiveAuthUrl federationActiveAuthUrl - * @return {object} The wstrust endpoint version. + * @return {object} The wstrust endpoint version. */ TokenRequest.prototype._parseWStrustVersionFromFederationActiveAuthUrl = function(federationActiveAuthUrl) { var wstrust2005Regex = /[/trust]?[2005][/usernamemixed]?/; var wstrust13Regex = /[/trust]?[13][/usernamemixed]?/; - + if (wstrust2005Regex.exec(federationActiveAuthUrl)) { return WSTrustVersion.WSTRUST2005; } else if (wstrust13Regex.exec(federationActiveAuthUrl)) { return WSTrustVersion.WSTRUST13; } - + return WSTrustVersion.UNDEFINED; }; @@ -405,10 +405,18 @@ TokenRequest.prototype._parseWStrustVersionFromFederationActiveAuthUrl = functio */ TokenRequest.prototype.getTokenWithUsernamePassword = function(username, password, callback) { this._log.info('Acquiring token with username password'); - this._userId = username; + this._getTokenWithCacheWrapper(callback, function(getTokenCompleteCallback) { var self = this; + + if(this._authenticationContext._authority._isAdfsAuthority) { + this._log.info('Skipping user realm discovery for ADFS authority'); + + self._getTokenUsernamePasswordManaged(username, password, getTokenCompleteCallback); + return; + } + this._userRealm = this._createUserRealmRequest(username); this._userRealm.discover(function(err) { if (err) { diff --git a/test/username-password.js b/test/username-password.js index 55972a2..d897123 100644 --- a/test/username-password.js +++ b/test/username-password.js @@ -79,9 +79,8 @@ suite('username-password', function() { return util.setupExpectedOAuthResponse(queryParameters, cp.tokenUrlPath, 200, response.wireResponse, cp.authority); } - function setupExpectedUserNamePasswordRequestResponse(httpCode, returnDoc, authorityEndpoint) { + function setupExpectedUserNamePasswordRequestResponse(httpCode, returnDoc, authorityEndpoint, isAdfs) { var authEndpoint = util.getNockAuthorityHost(authorityEndpoint); - var queryParameters = {}; queryParameters['grant_type'] = 'password'; queryParameters['client_id'] = cp.clientId; @@ -91,12 +90,16 @@ suite('username-password', function() { queryParameters['scope'] = 'openid'; var query = querystring.stringify(queryParameters); + var tokenUrl = cp.tokenUrlPath; + if(isAdfs) { + tokenUrl = '/adfs' + cp.tokenPath + cp.extraQP; + } var tokenRequest = nock(authEndpoint) .filteringRequestBody(function(body) { return util.filterQueryString(query, body); }) - .post(cp.tokenUrlPath, query) + .post(tokenUrl, query) .reply(httpCode, returnDoc); util.matchStandardRequestHeaders(tokenRequest); @@ -104,6 +107,22 @@ suite('username-password', function() { return tokenRequest; } + test('happy-path-adfs-authority', function(done) { + var adfsAuthority = "https://contoso.com/adfs"; + var responseOptions = { authority : adfsAuthority, mrrt : true }; + var response = util.createResponse(responseOptions); + var upRequest = setupExpectedUserNamePasswordRequestResponse(200, response.wireResponse, adfsAuthority, true); + + var context = new AuthenticationContext(adfsAuthority, false); + context.acquireTokenWithUsernamePassword(response.resource, cp.username, cp.password, cp.clientId, function(err, tokenResponse) { + if (!err) { + upRequest.done(); + assert(util.isMatchTokenResponse(response.cachedResponse, tokenResponse), 'Response did not match expected: ' + JSON.stringify(tokenResponse)); + } + done(err); + }); + }); + test('managed-happy-path', function(done) { var preRequests = util.setupExpectedUserRealmResponseCommon(false); var response = util.createResponse(); From 25b1ba82a85b81541ed7fdb30aa5927b6ec46a88 Mon Sep 17 00:00:00 2001 From: weijjia Date: Fri, 17 Jun 2016 18:52:56 -0700 Subject: [PATCH 3/3] version update for 0.1.20 release --- changelog.txt | 5 +++++ package.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/changelog.txt b/changelog.txt index 538a8a8..7ecdbaf 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,8 @@ +Version 0.1.20 +-------------- +Release Date: 17 Jun 2016 + * Add support for resource owner grant flow for ADFS + Version 0.1.19 -------------- Release Date: 26 Apr 2016 diff --git a/package.json b/package.json index 8f72b72..17757be 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "type": "git", "url": "https://github.com/AzureAD/azure-activedirectory-library-for-nodejs.git" }, - "version": "0.1.19", + "version": "0.1.20", "description": "Windows Azure Active Directory Client Library for node", "keywords": [ "node", "azure", "AAD", "adal", "adfs", "oauth" ], "main": "./lib/adal.js",