cannot get AAD Federation metadata from endpoint you specified

[DarkLite1]

I'm having a similar issue as this one. Upon app start all is fine and no error is displayed:

{"name":"AzureAD: Bearer Strategy","hostname":"BELSGFRANIT04","pid":1900,"level":40,"msg":"Production environments should always validate the issuer.","time":"2020-07-06T07:27:08.881Z","v":0}
{"name":"AzureAD: Bearer Strategy","hostname":"BELSGFRANIT04","pid":1900,"level":30,"msg":"In BearerStrategy constructor: strategy created","time":"2020-07-06T07:27:08.883Z","v":0}
Listening on port 5000

Then when visiting the protected route http://localhost:5000/hello with the brwoser (unauthorized) we get this:

{"name":"AzureAD: Metadata Parser","hostname":"BELSGFRANIT04","pid":1900,"level":50,"msg":"cannot get AAD Federation metadata from endpoint you specified","time":"2020-07-06T07:29:08.102Z","v":0}
{"name":"AzureAD: Metadata Parser","hostname":"BELSGFRANIT04","pid":1900,"level":50,"msg":"cannot get AAD Federation metadata from endpoint you specified","time":"2020-07-06T07:29:08.102Z","v":0}
{"name":"AzureAD: Bearer Strategy","hostname":"BELSGFRANIT04","pid":1900,"level":30,"msg":"authentication failed due to: Error: Cannot get AAD Federation metadata","time":"2020-07-06T07:29:08.104Z","v":0}
GET /hello 401 163.631 ms - -

This happens with the latest sample.

config.js

const config = {
    identityMetadata: "https://login.microsoftonline.com/xxx-xxx-xxx-xxx-xxx",
    clientID: "xxx-xxx-xxx-xxx-xxx",
    validateIssuer: false,
    loggingLevel: 'info',
    passReqToCallback: false
};

module.exports = config

[derisen]

@DarkLite1 seems like the readme is misleading, apologies for the confusion. The identityMetadata should also include the .../v2.0/.well-known/openid-configuration. So to clarify,

1. On Azure Portal, go to your App Registration, and click on the Endpoints link in the Overview tab. There, check the string for OpenID Connect Metadata document. This is your identityMetadata.

2. Still on Azure Portal>App Registration, check the Manifest tab. Make sure your accessTokenAcceptedVersion property in app manifest is set to 2.

You should then be able to call your api without issues. Again, apologies for the mistake -I'll update the readme (but feel free to suggest a PR if you like)

[DarkLite1]

Thank you, this helped me out.

[thelements]

In My App accessTokenAcceptedVersion is set to null so it default to 1 i guess.
now i tried using below configs.

const bearerStrategy = new BearerStrategy({
    identityMetadata: "https://login.microsoftonline.com/XXXXX/.well-known/openid-configuration",
    clientID: "XXXXX",
    validateIssuer: false,
    loggingLevel: 'info',
    passReqToCallback: false
}, (token, done) => {
    // Send user info using the second argument
    done(null, {}, token);
}
);

But I am receiving same error

[sinkaz]

same problem here. @derisen, I cannot find Endpoints link in my Overview tab.

[derisen]

@thelements please set the accessTokenAcceptedVersion to 2 in the Portal>Manifest. You should be good to go after.

@sinkaz take a look it the screenshot below:

[mfoitzik]

@derisen Your comment on July 6, 2020 helped me out greatly. My problem was a typo in the tenant name in the config file, but it manifested itself with the error that @DarkLite1 reported. This put me on the right path.

[Jamal8548]

SOLUTION: (REACT and NODE-JS) B2C SOLUTION-> I was still not able to fetch api results because in the documentation for API (config.json) file it is written as below:
credentials -> tenantName: The first part of your Azure AD B2C tenant name. FOR EXAMPLE CONTOSO. which is wrong,
PLEASE ADD full domain contoso.onmicrosoft.com :)

[derisen]

@Jamal8548 can you share here which document you're looking at?

[Jamal8548]

@derisen Here is the link.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-react-spa-app

[derisen]

thanks, I'll make sure to get that fixed

[Jamal8548]

@derisen i have one short question, solution which i was looking, i also send you link is for Reactjs and Nodejs(Express.js) but what if we don't use express.js in node and instead of express i am using Apollo Server( GraphQL ) but there is no documentation on this specific topic. Do you have any idea how can i apply this in Apollo server ( graphql ) i am not using express( rest Api ). I would appreciate if you would suggest me something.

[derisen]

@Jamal8548 Unfortunately we don't have any examples using Apollo server at the moment, but we can consider adding this to the backlog

[Jamal8548]

@derisen would you please give me your valuable feedback in this regard. I am student.

USE CASE: My project is based on React(Front end) -NodeJs(API). I want authentication and authorization (both) in my project. Currently, I tried it with Azure AD B2C but how can I get authorization in it. I mean some users are admin users and only they have access to some endpoints. I researched about it and found that it may get users from Azure AD (graphAPI) before generating a token or something like that... so please recommend the best solution for the upper use case. I want the best solution which is less in cost and effective. As i read that with Azure AD B2C first 50,000 users / month are free and i could not find how many users are free with Azure AD and in the end please recommend me that should i go with only Azure AD (it's expensive) Or i should go with Azure AD B2C(50,000users/per month free- less cost) but one drawback that authorization is not a feature of Azure AD B2C, so should i go with the above recommended solution that to get users from Azure AD for authorization and use Azure AD B2C? Your valuable feedback would be highly appreciated for the above chaos.