azuread / azure-activedirectory-library-for-nodejs Goto Github PK

Add .npmignore to ignore the test folder.
And alternative would be to do a files element in package.json but that has the potential to get overridden by .npmignore, so we will not do that. https://docs.npmjs.com/files/package.json#files

When calling authenticationContext.acquireToken(resource, userid, clientid, callback) with a token cache specified, if there's a cache miss (say the underlying cached data was deleted by the user), you get a "Error: cannot read property 'accessToken' of undefined" exception down in the bowels of adal.

In this case it should instead throw a specific well defined "No cached tokens found" error or something along those lines.

Looking at the code in cache-driver.js, starting at line 301:

  var now = new Date();

  if (isResourceSpecific && now.isAfter(expiryDate)) {

It's checking to see if the token is expired by comparing against the exact expiration date. This opens users up to a rare but impossible to debug race condition - if the token expires between the time this check passes and the time it actually goes out over the wire requests will fail with an expired token.

This should be checking with a slop factor - if it's within 10 minutes of expiration then refresh it, for example.

Please refer this issue filed in xplat cli repo: https://github.com/Azure/azure-xplat-cli/issues/1612

Fix the typo error:

TokenRequest.prototype.getTokenWithUsernamePassword = function(username, password, callback) {
  this._log.info('Acquiring token with username password');

  this._userId = username;
  this._getToken(callback, function(innerCallback) {
    var self = this;
    this._userRealm = this._createUserRealmRequest(username);
    this._userRealm.discover(function(err) {
      if (err) {
        innerCallback(err);
        return;
      }

      switch(self._userRealm.accountType) {
        case AccountType.Managed:
          self._getTokenUsernamePasswordManaged(username, password, innerCallback);
          return;
        case AccountType.Federated:
          self._getTokenUsernamePasswordFederated(username, password, innerCallback);
          return;
        default:
          innerCallback(self._log.createError('Server returned an unknown AccountType: ' + self._userRealm.AccountType));
      }
    });
  });

self._userRealm.AccountType should be self._userRealm.accountType

Hello,

I suppose it's on purpose you have not implemented the Resource Owner Password grant for Azure AD? In principle, it's almost there, you just would have to add a clientSecret to the TokenRequest, extend createOAuthParameters with CLIENT_SECRET and add an extra parameter clientSecret to the acquireTokenWithUsernamePassword method of AuthenticationContext (tried it, it works).

Before I would create a PR for that, I thought I'd ask whether it's actually desired or not.

Best regards,
Martin

I can't seem to locate API documentation for this library. Are there only samples?

The current implementation of server certificate base auth requires the developer to pass in the private key to a cert. This might not be possible in all cases. For instance, developers using key vault would not be able to do this. To support these scenarios we need to be able to pass in a function or functions that node adal can call when it needs to sign something. This would allow adal to be abstracted from the exact location of the cert.

sample/package.json declares a dependency on Express v2 but sample/website-sample.js initializes express by calling express() which is Express v3 syntax.

To reproduce the issue:

1. git clone <repo>
2. cd sample
3. npm install && node website-sample.js

Failing output:

.../sample/website-sample.js:32
var app = express();
          ^
TypeError: object is not a function
    at Object.<anonymous> (.../sample/website-sample.js:32:11)
    at Module._compile (module.js:460:26)
    at Object.Module._extensions..js (module.js:478:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)
    at Function.Module.runMain (module.js:501:10)
    at startup (node.js:129:16)
    at node.js:814:3

After enabling the log on adal.Logging at verbose level and making a token request with acquireTokenWithClientCredentials, the log output contains a clear text version of the password.

Look for the following in the logs:

{GUID} - WSTrustRequest: VERBOSE: Sending RST to [...]
<s:Envelope [...]>
  <wsse:Username>{UserName}</wsse:Username>
  <wsse:Password>{ClearTextPassword}</wsse:Password>

Call context.acquireTokenWithClientCredentials, passing null for the username (but passing a valid resource and password).

Expected to get the callback invoked with an error. Instead the callback is never invoked and the app just hangs.

From another email thread asking for feedback.

"The most actionable was that there was no clear error message when trying to authenticate using localhost over HTTP (http://localhost:3000) vs HTTPS; errors about invalid authorization grant, etc. It took a “I’m a big idiot” moment to flip on SSL and watch everything work."

Hello,

we are using browserify for this project and the target platform uses AMD as well, which leads to an unresolved dependency problem for uuid.v4 ()

It seems, that node-uuid has made a correction broofa/node-uuid@7cc55a5 for this issue, prefering exports over define

Do you think an update to at least 1.4.3 would be appropriate for you?

Run jshint to clean up all its related issues.

This is a question rather than an issue. I just want clarification on if this library can be used against an ADFS authority rather than an Azure AD authority.

Thanks

It would be helpful to be able to identify which apps have which version of ADAL so that we can identify apps that should be updated.

Do not implement this until we have agreement on the shape of the public API changes.

Currently for device profile flow, if user doesn't supply the correlation id, the correlation will be different for code request and token request. This increases difficulty for tracking down errors on server side.

Hi,

After user is authenticated (GET /authorize?...), can I use his JWT (id_token) to call the Graph API (https://graph.windows.net/contoso.onmicrosoft.com/users?api-version=1.0&...)?

I want to get full user profile (including user groups).

Currently, I'm getting the following error:

Response body

{
  "odata.error": {
    "code": "Authentication_MissingOrMalformed",
    "message": {
      "lang": "en",
      "value": "Access Token missing or malformed."
    },
    "values":null
  }
}

Response headers

'request-id': '48c2e927-a746-42b9-8c59-49219ca5da48',
'client-request-id': '323ff27a-e589-4cea-8060-5e5c6a419d2e',
'x-ms-dirapi-data-contract-version': '1.0',
'strict-transport-security': 'max-age=31536000; includeSubDomains',
'access-control-allow-origin': '*',
'www-authenticate': 'Bearer realm="XYZ.onmicrosoft.com", error="invalid_token", error_description="Access Token missing or malformed.", authorization_uri="https://login.windows.net/XYZ.onmicrosoft.com/oauth2/authorize", client_id="00000002-0000-0000-c000-000000000000"'

Thanks!

It turns out that the default configuration for ADFS doesn't support WS-Trust 1.3 which is the latest version. Instead, it supports an earlier draft version, WS-Trust 2005. We need to look for 1.3 and if it is not present in the MEX, look for WS-Trust 2005 and use that instead.

It looks like there is already support for the App Model v2.0 in the devConvergence branch. Is this available through npm? Or will it be released with the GA of v2.0?

We're building a feature where there's a secure credential store on the client, from which we get the user name and password to use in the acquireTokenWithClientCredentials call. If the user name and password are invalid, we need to revoke them from the store.

Currently, it's not too obvious from the error whether the credentials were bad (e.g. expired, with a typo, etc...) or whether there was an issue at the transport level (e.g. failure to connect to remote host, TLS handshake failed, etc...).

It would be helpful to get detailed feedback on this in the errors. E.g. "error.transportError = true;".

Sample cred errors:

1. Invalid username

Server returned an unknown AccountType: undefined

1. Bad credentials

WS-Trust RST request returned http error: 500 and server response: [...]
  <s:Fault>
    <s:Code>
      <s:Value>s:Sender</s:Value>
      <s:SubCode>
        <s:Value>a:FailedAuthentication</s:Value>
[...]
  <s:Reason>
    <s:Text>ID3242: The security token could not be authenticated or authorized.</s:Text>
[...]

Sample transport errors:

  <s:Subcode>
    <s:Value>a:ActionNotSupported</s:Value>
  </s:Subcode>
[...]
  <s:Reason>
    <s:Text xml:lang="en-US">The message with Action
'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'
cannot be processed at the receiver, due to a ContractFilter mismatch
at the EndpointDispatcher. This may be because of either a contract
mismatch (mismatched Actions between sender and receiver) or a
binding/security mismatch between the sender and the receiver.  Check
that sender and receiver have the same contract and the same binding
(including security requirements, e.g. Message, Transport, None).
    </s:Text>
  </s:Reason>

Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

I have written a mocha test with the current flow:

• use acquireTokenWithUsernamePassword with correct username and password
• use acquireTokenWithUsernamePassword with same username but wrong password

The first test passes successfully. For the second test, I am expecting to receive a 400 error response. However, it seems that the function is taking the cached token from the first (successful) authentication request, so I am received a 200 response, even though I am passing the wrong password deliberately.

I was wondering if this is the behavior by design? Otherwise, how can I use the library to authenticate users in a reliable way?

Hi, I used this sample of code for test purposes: I manage to authenticate an account and get back the accessToken, but at no time am I asked to grant a set of permissions, yet my application registered on AzureAd requires a bunch of them.

I even tried to add prompt=consent in the request URL, but then I get an "incorrect request" message...

What am I doing wrong?

Webpack seems to have a problem with the way adal uses underscore to create the exports.

So in adal.js, remove the following two lines:

var _ = require('underscore');
_.extend(exports, authParams);

And instead of the above two lines, explicitly export the required functions, like so

exports.createAuthenticationParametersFromUrl = authParams.createAuthenticationParametersFromUrl
exports.createAuthenticationParametersFromResponse = authParams.createAuthenticationParametersFromResponse
exports.createAuthenticationParametersFromHeader = authParams.createAuthenticationParametersFromHeader
exports.AuthenticationParameters = authParams.AuthenticationParameters

As far as I can tell this fixes at least one problem working with Webpack.

As it stands callers do not have a good way of programmatically reacting to ADAL errors. This would be remedied if the library returned error codes along with the display string.

We are using AuthenticationContext.acquireAccessToken with proper login hint. Still the auth UI page does not show username. Impact is that user needs to feed in email address again.

Repro steps:

1. Install Office
2. Enter [email protected] in HRD dialog

It shows up ledcor.com's auth UX, but isn't prepopulated with email address that was already entered in HRD dialog

When retrieving a userid from an idtoken, one of the fallbacks is the subject field of the idtoken. Per the spec, the field is sub. I also confirmed it against login.windows.net token endpoint.

http://openid.net/specs/openid-connect-core-1_0.html#IDToken

Hi,

I was wondering if you could help me with this socket hang up error I'm encountering. I encounter the same issue with other sample code of O365-Nodejs.

System: OS X Yosemite 10.10.5
Node version: tried with both v0.10.25 and v0.12.9

Steps:

1. create an empty directory & cd into it
2. npm init
3. npm install adal-node --save
4. touch index.js, populate with a simplified version of adal-node/sample/client-credentials-sample.js, as below

//INDEX.JS
'use strict';
var fs = require('fs'),
    adal = require('adal-node');
var AuthenticationContext = adal.AuthenticationContext;
function turnOnLogging() {...}

var params = {
    tenant: 'fiveblocksup.onmicrosoft.com',
    authorityHostUrl: 'https://login.windows.net', //'https://login.microsoftonline.com/common', //TRIED BOTH
    clientId: 'validClientId',
    clientSecret: 'validSecret='
};

var authorityUrl = params.authorityHostUrl + '/' + params.tenant;
var resource = '00000002-0000-0000-c000-000000000000'; //not sure what this is for
turnOnLogging();
var context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCredentials(resource, params.clientId, params.clientSecret, function (err, tokenResponse) {
    if(err){
        console.log('######### ERROR #############');
        console.log(err.stack);
        console.log('#########  END  #############');
    } else {
        console.log(tokenResponse);
    }
});

This is the error I get:

Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - Authority: VERBOSE: Performing instance discovery: https://login.windows.net/fiveblocksup.onmicrosoft.com
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - Authority: VERBOSE: Performing static instance discovery
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - Authority: VERBOSE: Authority validated via static instance discovery.
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - TokenRequest: INFO: Getting token with client credentials.
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - TokenRequest: VERBOSE: No userId passed for cache query.
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - CacheDriver: VERBOSE: finding with query:{"clientId":"validClientId"}
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - CacheDriver: VERBOSE: Looking for potential cache entries:
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - CacheDriver: VERBOSE: {"_clientId":"validClientId"}
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - CacheDriver: VERBOSE: Found 0 potential entries.
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - TokenRequest: VERBOSE: No appropriate cached token found.
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - OAuth2Client: ERROR: Get Token request failed with
Stack:
Error: socket hang up
    at createHangUpError (_http_client.js:215:15)
    at TLSSocket.socketOnEnd (_http_client.js:300:23)
    at TLSSocket.emit (events.js:129:20)
    at _stream_readable.js:908:16
    at process._tickCallback (node.js:355:11)
{ [Error: socket hang up] code: 'ECONNRESET' }
Tue, 08 Dec 2015 22:15:01 GMT:4d55c64f-c7da-416c-8e9e-1afa46f2ef45 - TokenRequest: VERBOSE: getTokenFunc returned with err
######### ERROR #############
Error: socket hang up
    at createHangUpError (_http_client.js:215:15)
    at TLSSocket.socketOnEnd (_http_client.js:300:23)
    at TLSSocket.emit (events.js:129:20)
    at _stream_readable.js:908:16
    at process._tickCallback (node.js:355:11)
#########  END  #############

The library has hardcoded api-version=1.0 (oauthclient.js lines 93 and 108). It will be great if we could change that value programmatically or directly remove that header.
For the last day I've been investigating why the token I got from nodejs didn't worked when accessing a resource and that was the issued. The C# library doesn't seem to append that parameter.

Package currently depends on [email protected]. There's been a security update on that package you should take.

While installing azure-cli package, it raises a visible warning saying

npm WARN deprecated [email protected]: Security update: Versions below 3.0.0 are deprecated.

https://github.com/Azure/azure-xplat-cli/issues/1691

Can you please fix this?

Basically you don’t specify “licenses” anymore but “license” with a string that corresponds to a supported thing: https://spdx.org/licenses/. https://docs.npmjs.com/files/package.json

The function acquireTokenWithRefreshToken does not work for confidential clients since it doesn't take a client secret. We need to add that method.

I will try to get to this in the next couple of weeks.

Currently the 'isMRRT value that is added by cache-driver.js does not have an underscore, which would normally indicate that it is a public value. It should have been private. We should be careful that any change to this is done in a backward compatible way.

Quote from the node security project:

node-uuid prior to 1.4.4 contained a bug that caused it to consistently fall back to using Math.random instead of a more cryptographically sound source of entropy, the native crypto module.

https://nodesecurity.io/advisories/93

108 passing (996ms)
1 failing

1. client-credential cert-bad-cert:

  AssertionError: Unexpected error messageerror:0906D06C:PEM routines:PEM_read_bio:no start line
  + expected - actual

  -false
  +true

  at test/client-credential.js:279:7
  at TokenRequest.getTokenWithCertificate (lib/token-request.js:507:5)
  at AuthenticationContext.<anonymous> (lib/authentication-context.js:359:18)
  at lib/authentication-context.js:201:19
  at Authority._getOAuthEndpoints (lib/authority.js:223:5)
  at lib/authority.js:251:14
  at Authority._validateViaInstanceDiscovery (lib/authority.js:195:5)
  at Authority.validate (lib/authority.js:245:10)
  at AuthenticationContext._acquireToken (lib/authentication-context.js:196:19)
  at AuthenticationContext.acquireTokenWithClientCertificate (lib/authentication-context.js:357:8)
  at Context.<anonymous> (test/client-credential.js:277:13)

This link is broken on the main README file:
We provide a full suite of sample applications and documentation on GitHub

Doesn't work now...since the V2 Graph API got released...When is this going to get updated to support V2 AAd?

The list of root certificate authorities that node trusts is hard coded. The list is in this file:

https://github.com/nodejs/node/blob/master/src/node_root_certs.h

There is already an issue filed against node complaining about the fact that the list is hardcoded.

nodejs/node#4175

There is some code in one of the ADAL samples in this repo that indicate how to handle a CA that is not in the hard coded list.

outlook-web-16:00.js - Uncaught Sys.ArgumentNullException: Sys.ArgumentNullException: Value cannot be null. Parameter name: conversationId

This is an error that I'm getting when I try to call any of the O365 APIs (outlook, sharepoint ..) inside of Outlook app. I've added some code to project created by andrewconnell in https://github.com/OfficeDev/TrainingContent - O3657/O3657-3 Building Office Apps for Outlo

My forked repository and changes https://github.com/matejv1/TrainingContent

• added AnalJS, homeController, getFiles method inside of customerServices.js

If I remove manual bootstrapping of AngularJS inside of Office.initialize function + add ng-app directive on a DOM element this issue disappears but then we don't have an access to Office.js API since it is not yet initialized, which is critical in case you want to show something that is current email related.

Hopefully this is the best place to discuss this issue. PS:I've deleted the app with ID pushed in commit that I did - so no worries. I think.

https://github.com/Azure/azure-xplat-cli/issues/2497
Above issue on xplat cli has more info.

PowerBI API (resource='https://analysis.windows.net/powerbi/api') needs user/password authentication incl. ClientSecret. acquireTokenWithUsernamePassword doesnt support this scenario.

Error message is: "AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'

I didn't run the file but I came across the tests for cache driver and on line 93 I noticed:

for (var i = 0; i < cacheEntries[i].length; i++) {
        if (cacheEntries[i].isMRRT) {
          assert(cacheEntries[i]['refreshToken'] === mrrtRefreshToken, 'One of the responses refresh token was not correctly updated: ' + i);
        }

my guess is cacheEntries[i] is doing something you don't want. The length I can go to is the i we are currently on? This is going to do an odd sort of search. you probably meant cacheEntries.length

Escape xml chars in password before creating a xml request at wstrust-request.js.

azure-activedirectory-library-for-nodejs specifies request module version >= 2.9.203. From the package.json dependencies: "request": ">= 2.9.203",

when used with azure-xplat-cli, it ends up using request module version 2.27.0. From the azure-xplat-cli package.json dependencies: "request": "2.27.0"

Proxy support in the request module was refactored in roughly around version 2.52.0 (in January of 2015). Updating azure-activedirectory-library-for-nodejs to rely on this version or later fixes the issue with ADAL and respecting proxies when used with azure-xplat-cli.

Specific proxy settings being used (on mac and linux) are:

export HTTPS_PROXY=http://localhost:8888
export HTTP_PROXY=http://localhost:8888

On a local machine when using the azure cli, and the above proxy settings w/ no changes to which version of the request module, a man in the middle proxy sees only the connection to https://manage.azure.com (to get subscription information), it does not see the request to https://login.windows.net.

Modifying adal-node to require request 2.52.0 or newer, the request to https://login.windows.net is visible in the MITM proxy.

Submitting a small pull request with the change.

This function is not very useful as it currently sets the two compared dates to the same object. My guess is after fixing this your validation might fail also. Included is what I am doing for the python tests

function isExpiresWithinTolerance(expiresOn, expired){
  if (!expiresOn) {
    console.log('no expires_on');
    return false;
  }

  // Add the expected expires_in latency.
  var expectedExpires = expired ? new Date() : Date.yesterday();
  expectedExpires = expiresOn.addSeconds(28800);
  return isDateWithinTolerance(expiresOn, expectedExpires);
}

This line is going to add to expiresOn and set expectedExpires to the same object:

expectedExpires = expiresOn.addSeconds(28800);

Python code for what we are doing instead:

def isExpiresWithinTolerance(expiresOn):
    # Add the expected expires_in latency.
    expectedExpires = datetime.now() + timedelta(0, 28800)
    return isDateWithinTolerance(expiresOn, expectedExpires);

I tried running a u/p test that failed. I realized that my ADFS server was unreachable. However, the error message produced by ADAL indicates that there is a problem with the version of WS-Trust detected at ADFS. Clearly that can't be right. We should fix this up so the actual error is clear.

Here are logs:

Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - Authority: VERBOSE: Performing instance discovery: https://login.windows.net/
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - Authority: VERBOSE: Performing static instance discovery
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - Authority: VERBOSE: Authority validated via static instance discovery.
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - TokenRequest: INFO: Acquiring token with username password
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - CacheDriver: VERBOSE: finding with query:{"clientId":"624ac9bd--b56a8991cfb3","userId":""}
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - CacheDriver: VERBOSE: Looking for potential cache entries:
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - CacheDriver: VERBOSE: {"_clientId":"624ac9bd--b56a8991cfb3","userId":""}
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - CacheDriver: VERBOSE: Found 0 potential entries.
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - TokenRequest: VERBOSE: No appropriate cached token found.
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: VERBOSE: Performing user realm discovery at: https://login.windows.net/common/UserRealm/?api-version=1.0
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: INFO: User Realm DiscoveryServer returned this correlationId: 4779a602-8964-4403-a092-1b771902eeaa
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: VERBOSE: Discovery response:
{"ver":"1.0","account_type":"Federated","domain_name":"naturalcauses.com","federation_protocol":"WSTrust","federation_metadata_url":"https://fs.naturalcauses.com/adfs/services/trust/mex","federation_active_auth_url":"https://fs.naturalcauses.com/adfs/services/trust/2005/usernamemixed"}
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: VERBOSE: UserRealm response:
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: VERBOSE:  AccountType:             federated
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: VERBOSE:  FederationProtocol:      wstrust
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: VERBOSE:  FederationMetatdataUrl:  https://fs.naturalcauses.com/adfs/services/trust/mex
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - UserRealm: VERBOSE:  FederationActiveAuthUrl: https://fs.naturalcauses.com/adfs/services/trust/2005/usernamemixed
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - TokenRequest: VERBOSE: Acquiring token with username password for federated user
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - TokenRequest: VERBOSE: Attempting mex at: https://fs.naturalcauses.com/adfs/services/trust/mex
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - MEX: VERBOSE: Mex created with url: https://fs.naturalcauses.com/adfs/services/trust/mex
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - MEX: VERBOSE: Retrieving mex at: https://fs.naturalcauses.com/adfs/services/trust/mex
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - MEX: ERROR: Mex Get request failed with
Stack:
Error: getaddrinfo ENOTFOUND
    at errnoException (dns.js:37:11)
    at Object.onanswer [as oncomplete] (dns.js:124:16)
{ [Error: getaddrinfo ENOTFOUND] code: 'ENOTFOUND', errno: 'ENOTFOUND', syscall: 'getaddrinfo' }
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - TokenRequest: WARNING: MEX exchange failed.  Attempting fallback to AAD supplied endpoint.
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - WSTrustRequest: ERROR: Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.
Stack:
Error: Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.
    at Logger.createError (D:\git\npm-test\node_modules\adal-node\lib\log.js:201:13)
    at WSTrustRequest.acquireToken (D:\git\npm-test\node_modules\adal-node\lib\wstrust-request.js:203:25)
    at TokenRequest._performWSTrustExchange (D:\git\npm-test\node_modules\adal-node\lib\token-request.js:274:11)
    at TokenRequest._performUsernamePasswordForAccessTokenExchange (D:\git\npm-test\node_modules\adal-node\lib\token-request.js:299:8)
    at D:\git\npm-test\node_modules\adal-node\lib\token-request.js:359:12
    at Request._callback (D:\git\npm-test\node_modules\adal-node\lib\util.js:119:7)
    at self.callback (D:\git\npm-test\node_modules\request\request.js:368:22)
    at Request.emit (events.js:95:17)
    at Request.onRequestError (D:\git\npm-test\node_modules\request\request.js:1025:8)
    at ClientRequest.emit (events.js:95:17)
[Error: Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.]
Fri, 11 Sep 2015 03:41:30 GMT:4779a602-8964-4403-a092-1b771902eeaa - TokenRequest: VERBOSE: getTokenFunc returned with err
well that didn't work: Error: Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.
    at Logger.createError (D:\git\npm-test\node_modules\adal-node\lib\log.js:201:13)
    at WSTrustRequest.acquireToken (D:\git\npm-test\node_modules\adal-node\lib\wstrust-request.js:203:25)
    at TokenRequest._performWSTrustExchange (D:\git\npm-test\node_modules\adal-node\lib\token-request.js:274:11)
    at TokenRequest._performUsernamePasswordForAccessTokenExchange (D:\git\npm-test\node_modules\adal-node\lib\token-request.js:299:8)
    at D:\git\npm-test\node_modules\adal-node\lib\token-request.js:359:12
    at Request._callback (D:\git\npm-test\node_modules\adal-node\lib\util.js:119:7)
    at self.callback (D:\git\npm-test\node_modules\request\request.js:368:22)
    at Request.emit (events.js:95:17)
    at Request.onRequestError (D:\git\npm-test\node_modules\request\request.js:1025:8)
    at ClientRequest.emit (events.js:95:17)

There is a block of parameters in the code, not the one in the comments, that does not include a clientSecret key. This can confuse developers looking at the sample. We need to add one. It should probably look something like:

clientId = 'YOUR CLIENT ID';

Current log entries do not contain a timestamp. The ADAL libraries are going to move to a standard log format:

timestamp:correlation-id - ClassOrComponent: description"

so the timestamp needs to be added in order to bring adal-node in to compliance.