如何使用passport-azure-ad实现身份验证码流

Question

我正在使用微软的passport-azure-ad模块进行开放式id连接。我想要的流是认证码流，我的azure广告被配置为认证码流。我的问题是：

1) passport-azure-ad是否会查看响应类型，比如它是" code "，那么它将进行第一个调用来获取代码，然后将代码交换为令牌。因为我在实现代码时不会进行两次调用，而是直接获取access_token

2)如何使用passport-azure-ad实现PKCE的授权码授权流程？

我的代码如下所示

config.creds.responseType = 'code';
config.creds.responseMode = 'form_post';
config.creds.validateIssuer = true,
config.creds.issuer = null,
config.creds.passReqToCallback = false,
config.creds.useCookieInsteadOfSession = true,
config.creds.scope = 'email profile api://<gateway-url>/.default',

passport.use(new OIDCStrategy({
    identityMetadata: config.creds.identityMetadata,
    clientID: config.creds.clientID,
    responseType: config.creds.responseType,
    responseMode: config.creds.responseMode,
    redirectUrl: config.creds.redirectUrl,
    allowHttpForRedirectUrl: config.creds.allowHttpForRedirectUrl,
    clientSecret: config.creds.clientSecret,
    validateIssuer: config.creds.validateIssuer,
    isB2C: config.creds.isB2C,
    issuer: config.creds.issuer,
    passReqToCallback: config.creds.passReqToCallback,
    scope: config.creds.scope,
    loggingLevel: config.creds.loggingLevel,
    nonceLifetime: config.creds.nonceLifetime,
    nonceMaxAmount: config.creds.nonceMaxAmount,
    useCookieInsteadOfSession: config.creds.useCookieInsteadOfSession,
    cookieEncryptionKeys: config.creds.cookieEncryptionKeys,
    clockSkew: config.creds.clockSkew,
  },
  function(iss, sub, profile, jwtClaims, accessToken, refreshToken, params, done) {
    if (!profile.oid) {
      return done(new Error("No oid found"), null);
    }
    profile.groups = jwtClaims.groups;
    profile.auth_tokens = params;
    console.log("**************Params received after login: ", params);
    //asynchronous verification, for effect...
    process.nextTick(function () {
      findByOid(profile.oid, function(err, user) {
        if (err) {
          return done(err);
        }
        if (!user) {
          // "Auto-registration"
          users.push(profile);
          return done(null, profile);
        }
        return done(null, user);
      });
    });
  }
));

Answer 1

我对上述问题1的回答是肯定的。我希望有更多的文档，但我发现这对passport-azure-ad代码非常有帮助。这是用oidcstragegy.js编写的

 /*****************************************************************************
       * Step 3. Handle the flows
       *----------------------------------------------------------------------------
       * (1) implicit flow (response_type = 'id_token')
       *     This case we get a 'id_token'
       * (2) hybrid flow (response_type = 'id_token code')
       *     This case we get both 'id_token' and 'code'
       * (3) authorization code flow (response_type = 'code')
       *     This case we get a 'code', we will use it to get 'access_token' and 'id_token'
       * (4) for any other request, we will ask for authorization and initialize
       *     the authorization process
       ****************************************************************************/