#Usage of Passport strategies in Nest.js

Hi, I have a question on how to correctly work with authorization in Nest.js.

I want to sign in using MSAL (Microsoft Authentication Library) in my SPA (Next.js, React or React Native).

This way I retrieve access token issued from Microsoft, and then I'm sending this access token to my Nest.js backend, where I call Microsoft Graph API to retrieve basic information about the user.

If the request is OK, it means the access token is validated and has not been tampered with. Then, I return own JWT issued by my Nest.js backend.

Is this approach correct? If so, what are the use cases of passport-azure-ad or passport-microsoft?

Thank you

https://medium.com/@swagatachaudhuri/implement-azure-ad-authentication-in-nest-js-1fe947da2c99 is this maybe comparable?

https://github.com/nickjfrench/ms-graph-msal-nestjs/blob/main/docs/write-up/README.md#1-microsoft-oauth2-msal-flow-and-test-graph-call this might help as well

On the question of, is your plan with the JWT a good one.

I'd suggest either using sessions (easier) or if you want JWTs, to use both an access and refresh token (harder) in the Nest backend.

And, no matter if sessions or refresh tokens, you need to call the MS endpoint in tandem, to refresh that token too (or log the user out, if the MS access and/ or refresh token is no longer valid). In other words, your Nest backend needs to be the middleware for the MS session.

Does that make sense?

Hello there! I'm using JWT actually. I don't know if it that's possible. I want to create IAM for all users created, I don't want to give user the username and password. I only want to give the an access token. How can I generate this access token to the new user created? Thanks

Quite comparable, well, it validates the JWT that comes from the OAuth process only, which is fine. I had some troubles with Azure returning also nonce and accessToken in an invalid format, which seems to be a common problem with MSAL.

The session flow seems something I would use If I would use session instead of JWT

It makes sense, however, I don't need to refresh Microsoft tokens, or log the user out, as I only need to know whether the supplied access token retrieved from MSAL is correct (informations such as e-mail address suffix adhere to my needs) , then I can throw the token away. Instead, I will generate my own JWT

I have so many problems with Microsoft alone, as it generates a valid JWT for my work account, but fails to generate a valid JWT for my personal account. Whether I will then use JWT or session for my own API is then a simple decision (even though I still incline to JWT due to React Native)

What @civic belfry sent is a good read though, I will take it as an inspiration

@jovial quarry - So, there is no mechanism to "lock" out or "log out" the user from Microsoft's system?