Moved azure and graph modules to a standalone package.

.gitignore

@@ -1,6 +1,7 @@
 # Ignore node modules and config files
 node_modules
 *config.js
+*config.json
 .env
 
 # MacOS system files

README.md

@@ -0,0 +1,20 @@
+# Azure Node Playground
+ 
+ This repository contains sample code for authenticating and interacting with Azure services using Node.js. It demonstrates how to use the Microsoft Authentication Library (MSAL) to acquire tokens and access various Azure resources.
+ 
+## How to impersonate Azure CLI
+
+Azure CLI is a well-known public application that can be used to authenticate and access Azure resources. To impersonate Azure CLI in your Node.js application, you can use the following configuration:
+
+Use interactive login or device code flow to authenticate as Azure CLI. Use the following configuration parameters:
+
+- **Application (client) ID**: `04b07795-8ddb-461a-bbee-02f9e1bf7b46`
+- **Tenant ID**: your tenant ID
+
+You can verify the application ID of Azure CLI by running the following command in your terminal:
+
+```bash
+az account get-access-token --scope "https://management.azure.com/.default" --debug
+```
+
+and then look for the `client_id` field in the debug output. Unfortunately, you can't use `az ad app show` to get details about this public application.

bin/auth-test.mjs

@@ -1,34 +0,0 @@
-#!/usr/bin/env node
-
-import { ClientSecretCredential } from "@azure/identity";
-import { config } from "../config.js";
-import { createHash } from "crypto";
-
-// We need to wrap the async code in an IIFE
-// Check, authentication using @azure/identity requires a client secret.
-if (config.clientSecret) {
-  console.log("Client secret is set.");
-  // Create the client
-  const credential = new ClientSecretCredential(
-    config.tenantId,
-    config.clientId,
-    config.clientSecret,
-  );
-
-  const token = await credential.getToken(
-    "https://management.azure.com/.default",
-  );
-  if (token) {
-    console.log("Authentication with client secret successful.");
-    const hash = createHash("sha256").update(token.token).digest("hex");
-    console.log("SHA-256 hash of access token:", hash);
-    console.log("Token expires on:", new Date(token.expiresOnTimestamp).toISOString());
-  } else {
-    console.error("Authentication with client secret failed.");
-    process.exit(1);
-  }
-} else {
-  console.warn(
-    "Warning: No client secret generated. Authentication may fail if the application requires a client secret.",
-  );
-}

bin/create-app-and-sp.mjs

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+
+import { config } from "../public-config.js";
+import {
+  createApp,
+  createSp,
+  getApp,
+  getGraphClient,
+  getServicePrincipal,
+} from "../src/graph.js";
+import { parseArgs } from "node:util";
+
+async function usage() {
+  console.log("Usage: create-app-and-sp.mjs --app-name <name>");
+}
+
+async function main() {
+  const { client } = await getGraphClient({
+    tenantId: config.tenantId,
+    clientId: config.clientId,
+  });
+
+  const args = parseArgs({
+    options: {
+      "app-name": {
+        type: "string",
+        short: "n",
+      },
+    },
+  });
+
+  if (!args.values["app-name"]) {
+    await usage();
+    return;
+  }
+
+  console.log("Will create app with name:", args.values["app-name"]);
+
+  let app = await getApp(client, args.values["app-name"]);
+  if (!app) {
+    app = await createApp(client, args.values["app-name"]);
+    console.log("Created app:", app.appId);
+  }
+
+  let sp = await getServicePrincipal(client, app.appId);
+  if (!sp) {
+    sp = await createSp(client, app.appId);
+    console.log("Created service principal:", sp.id);
+  }
+
+  console.log(`The application and associated service principal are ready.
+App ID: ${app.appId}
+Service Principal ID: ${sp.id}`);
+}
+
+await main().catch((e) => {
+  console.error("Error in main:", e);
+  console.error(e.stack);
+  process.exit(1);
+});

bin/delete-app-and-sp.mjs

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+
+import { config } from "../public-config.js";
+import {
+  deleteApp,
+  deleteSp,
+  getApp,
+  getGraphClient,
+  getServicePrincipal,
+} from "../src/graph.js";
+import { parseArgs } from "node:util";
+
+async function usage() {
+  console.log("Usage: delete-app-and-sp.mjs --app-name <name>");
+}
+
+async function main() {
+  const { client } = await getGraphClient({
+    tenantId: config.tenantId,
+    clientId: config.clientId,
+  });
+
+  const args = parseArgs({
+    options: {
+      "app-name": {
+        type: "string",
+        short: "n",
+      },
+    },
+  });
+
+  if (!args.values["app-name"]) {
+    await usage();
+    return;
+  }
+
+  console.log("Will delete app with name:", args.values["app-name"]);
+
+  const app = await getApp(client, args.values["app-name"]);
+  if (!app) {
+    console.log("No app found with name:", args.values["app-name"]);
+    return;
+  }
+
+  const sp = await getServicePrincipal(client, app.appId);
+  if (sp && sp.id) {
+    await deleteSp(client, sp.id);
+    console.log("Deleted service principal:", sp.id);
+  } else {
+    console.log("No service principal found for appId:", app.appId);
+  }
+
+  if (app && app.id) {
+    await deleteApp(client, app.id);
+    console.log("Deleted app:", app.appId);
+  } else {
+    console.log("App object id missing; cannot delete application");
+  }
+}
+
+await main().catch((e) => {
+  console.error("Error in main:", e);
+  console.error(e.stack);
+  process.exit(1);
+});

bin/interactive-login.mjs

@@ -3,8 +3,10 @@
 import { loginInteractive } from "../src/azure.js";
 import { config } from "../public-config.js";
 import { createHash } from "crypto";
+import { Client } from "@microsoft/microsoft-graph-client";
 
-const scopes = ["https://management.azure.com/.default"];
+// const scopes = ["https://management.azure.com/.default"];
+const scopes = ["https://graph.microsoft.com/.default"];
 
 let token;
 
@@ -15,9 +17,9 @@ try {
     scopes,
   });
 } catch (e) {
-    console.error("Login failed:", e);
-    console.error(e.stack);
-    process.exit(1);
+  console.error("Login failed:", e);
+  console.error(e.stack);
+  process.exit(1);
 }
 
 console.log("Access token acquired.");
@@ -26,3 +28,30 @@ console.log("Access token acquired.");
 const hash = createHash("sha256").update(token.accessToken).digest("hex");
 console.log("SHA-256 hash of access token:", hash);
 console.log("Token expires on:", token.expiresOn);
+
+const client = Client.init({
+  authProvider: (done) => {
+    done(null, token.accessToken);
+  },
+});
+
+let result;
+
+result = await client
+  .api("/applications")
+  .filter("displayName eq 'Azure Node Playground Public'")
+  .get();
+
+const apps = result.value ?? [];
+console.log(
+  `Registered applications with the name 'Azure Node Playground' (${apps.length}):`,
+);
+
+if (apps.length !== 1) {
+  console.error(
+    "Expected exactly one application with the name 'Azure Node Playground'. Please ensure it is registered in your Azure AD tenant.",
+  );
+  process.exit(1);
+}
+
+console.log("Application details:", apps[0]);

bin/login.mjs

@@ -0,0 +1,67 @@
+#!/usr/bin/env node
+
+import { readFileSync } from "fs";
+import { parseArgs } from "util";
+import { getCredential } from "../src/azure.js";
+
+let config = {};
+
+async function main() {
+  // Parse command line arguments to determine which credential type to use
+  const args = parseArgs({
+    options: {
+      help: { type: "boolean", short: "h" },
+      "credential-type": { type: "string", short: "t", default: "default" },
+      "config": { type: "string", short: "c", default: "app-config.json" },
+      "tenant-id": { type: "string", default: process.env.AZURE_TENANT_ID || "" },
+      "client-id": { type: "string", default: process.env.AZURE_CLIENT_ID || "" },
+      "client-secret": { type: "string", default: process.env.AZURE_CLIENT_SECRET || "" },
+      "client-secret-file": { type: "string", default: process.env.AZURE_CLIENT_SECRET_FILE || "" },
+    },
+  });
+
+  if (args.values.help) {
+    console.log("Usage: login.mjs [options]");
+    console.log("Options:");
+    console.log("  -h, --help                Show this help message");
+    console.log("  -c, --config              Path to the configuration file (default: config.js)");
+    console.log("  --tenant-id               Azure Tenant ID");
+    console.log("  --client-id               Azure Client ID");
+    console.log("  --client-secret           Azure Client Secret");
+    console.log("  --client-secret-file      Path to file containing Azure Client Secret");
+    console.log("  -t, --credential-type     Specify the credential type to use (default: default)");
+    process.exit(0);
+  }
+
+  // First, check if configuration file is spefiedd
+  const configPath = args.values.config;
+  if (configPath) {
+    // Load the JSON configuration file using readFileSync
+    const configFile = readFileSync(configPath, "utf-8");
+    config = JSON.parse(configFile);
+  }
+
+  // Process command line overrides
+  if (args.values["tenant-id"]) {
+    config.tenantId = args.values["tenant-id"];
+  }
+  if (args.values["client-id"]) {
+    config.clientId = args.values["client-id"];
+  }
+  if (args.values["client-secret"]) {
+    config.clientSecret = args.values["client-secret"];
+  } else if (args.values["client-secret-file"]) {
+    // Read client secret from file
+    config.clientSecret = readFileSync(args.values["client-secret-file"], "utf-8").trim();
+  }
+
+  // Create the appropriate credential based on the specified type
+  const credential = await getCredential(args.values["credential-type"], config);
+
+  console.log("Successfully obtained credential:", credential);
+}
+
+main().catch((error) => {
+  console.error("An error occurred:", error);
+  process.exit(1);
+});

bin/open-browser.mjs

@@ -1,8 +1,13 @@
-import open from "open";
+import open, { apps } from "open";
 
 async function openBrowser(url) {
   try {
-    await open(url);
+    await open(url, {
+      wait: false,
+      app: {
+        name: apps.edge
+      }
+    });
     console.log(`Browser opened to ${url}`);
   } catch (error) {
     console.error(`Failed to open browser: ${error}`);

src/azure.js

@@ -1,138 +0,0 @@
-// auth.js
-import http from "node:http";
-import { URL } from "node:url";
-import open from "open";
-import crypto from "node:crypto";
-import { PublicClientApplication } from "@azure/msal-node";
-import fs from "node:fs";
-import path from "node:path";
-import os from "node:os";
-
-function fileCachePlugin(cachePath) {
-  return {
-    beforeCacheAccess: async (ctx) => {
-      if (fs.existsSync(cachePath)) {
-        ctx.tokenCache.deserialize(
-          fs.readFileSync(cachePath, "utf8")
-        );
-      }
-    },
-    afterCacheAccess: async (ctx) => {
-      if (ctx.cacheHasChanged) {
-        fs.mkdirSync(path.dirname(cachePath), { recursive: true });
-        fs.writeFileSync(
-          cachePath,
-          ctx.tokenCache.serialize()
-        );
-      }
-    },
-  };
-}
-
-function generatePkce() {
-  const verifier = crypto.randomBytes(32).toString("base64url"); // 43 chars, valid
-  const challenge = crypto
-    .createHash("sha256")
-    .update(verifier)
-    .digest("base64url");
-
-  return { verifier, challenge, challengeMethod: "S256" };
-}
-
-export async function loginInteractive({ tenantId, clientId, scopes }) {
-  if (!tenantId) throw new Error("tenantId is required");
-  if (!clientId) throw new Error("clientId is required");
-  if (!Array.isArray(scopes) || scopes.length === 0)
-    throw new Error("scopes[] is required");
-
-  const cachePath = path.join(
-    os.homedir(),
-    ".config/azure-node-playground",
-    `${clientId}-token-cache.json`
-  );
-
-  const pca = new PublicClientApplication({
-    auth: {
-      clientId,
-      authority: `https://login.microsoftonline.com/${tenantId}`,
-    },
-    cache: {
-      cachePlugin: fileCachePlugin(cachePath),
-    },
-  });
-
-  const accounts = await pca.getTokenCache().getAllAccounts();
-
-  if (accounts.length > 0) {
-    try {
-      const silentResult = await pca.acquireTokenSilent({
-        account: accounts[0],
-        scopes,
-      });
-      return silentResult;
-    } catch (e) {
-      // proceed to interactive login
-    }
-  }
-
-  const pkce = generatePkce();
-
-  return new Promise((resolve, reject) => {
-    let redirectUri;
-
-    const server = http.createServer(async (req, res) => {
-      try {
-        const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
-
-        if (url.pathname !== "/callback") {
-          res.writeHead(404).end();
-          return;
-        }
-
-        const code = url.searchParams.get("code");
-        if (!code) {
-          res.writeHead(400).end("Missing authorization code");
-          server.close();
-          reject(new Error("Missing authorization code"));
-          return;
-        }
-
-        res.end("Authentication complete. You may close this tab.");
-        server.close();
-
-        const token = await pca.acquireTokenByCode({
-          code,
-          scopes,
-          redirectUri,
-          codeVerifier: pkce.verifier,
-        });
-
-        resolve(token);
-      } catch (e) {
-        try { server.close(); } catch {}
-        reject(e);
-      }
-    });
-
-    server.listen(0, "127.0.0.1", async () => {
-      try {
-        const { port } = server.address();
-        redirectUri = `http://localhost:${port}/callback`;
-        console.log("Using redirectUri:", redirectUri);
-
-        const authUrl = await pca.getAuthCodeUrl({
-          scopes,
-          redirectUri,
-          codeChallenge: pkce.challenge,
-          codeChallengeMethod: pkce.challengeMethod,
-        });
-
-        try { await open(authUrl, { wait: false }); } catch {}
-        console.log("If the browser didn't open, visit:\n" + authUrl);
-      } catch (e) {
-        try { server.close(); } catch {}
-        reject(e);
-      }
-    });
-  });
-}