In this part we will execute the application and explore the impact of a few selected config parameters.
When using Github Codespaces we are running out applications in a virtual environment. To enable a workspace to receive traffic from the outside we use port forwarding. You can read more on Forwarding ports in your codespace. A few notes:
- Codespaces will usually forwards a port automatically when your application attaches to the port locally.
- You can configure Port Forwarding as part of the
/.devcontainer/devcontainer.json
- You can configure Port Forwarding using the github CLI (
gh
) - Ports have visibility "Private", "Private to Organization" and "Public". The two first ones expects an authenticated session with Github. The "Public" is public to the world - not authentication control is added by Codespaces.
- For our application using "Private" will work for all out-of-the-box exercises
Steps:
-
Run the application (from the terminal window where you defined the config variable)
npm start
-
Open the application using the Popup indicating that the app i running on port 3000 and offering a "Open in Browser" button. No need to make the port public
-
Open the browser and test the application
-
Stop the application
-
Observe that the "automatic port forwarding" is removing the forward for port 3000
-
Set the NODE_ENV to "development"
export NODE_ENV=development
-
Start the back-end (
npm start
) -
Observe that the "automatic port forwarding" is adding the forward for port 3000
-
Use the application again and observer the logging
-
Observe that the port forwarding is Private so it remembered your decision
- Do the steps above
- Follow the oauth dance by inspecting the log
- The Microsoft Entra ID Spec for the OAuth2 Auth Code Flow
- First leg: redirect to login.microsoftonline.com (the 302) with params and redirect_uri
- Second leg: receive code on redirect_uri endpoint, use code to request access token
- Extract the access token and inspect at jwt.ms
- Experiment with changing a few parameters of the authorization request (auth-utils.js)
- (npm will use the NODE_ENV to determine which dependencies to install)
- Using "dev" mode with auto restart on changes is nice when experimenting
npm run dev
- prompt
- scope
- Explore what consent you have given to apps on Microsoft Entra ID on myapps.microsoft.com
- Test revoking for your app (if available in the list, if not can you find how to add it to the list? :) )
- It is bad practice to extract information from tokens that are not intended for you
- Example: Extracting "given_name" at the client from the Access Token
- Port forwarding with "public" represents a security risk
URL parameters from 1st leg, "getting authorization code"