Passport strategy for validating JWTs issued from Predix UAA instances.
This strategy validates a JWT passed as a bearer token in the Authorization header against a specified UAA instance and is targeted at protecting API endpoints served by Node.JS applications. There is currently one strategy completed, RemoteValidationStrategy, with a LocalValidationStrategy on the roadmap.
The RemoteValidationStrategy authenticates by checking the token against the app's cache or UAA's check_token
endpoint.
Remote validation adds additional requests against your auth server, but lets you validate opaque tokens and check if the token has been revoked.
For more information see the Predix UAA docs.
npm install git+https://github.com/tim-hutchinson/passport-predix-jwt.git
The strategy expects 1 of 2 options to be set:
uaaServiceName
- The name of the UAA service bound to your app in CloudFoundry. By using service discovery, you can easily change UAA instances without changing your application (recommended).issuer
- The IssuerId URI of your UAA service, as a string. Ex:https://46995891-525c-41a3-b46b-a31e93db2eeb.predix-uaa.run.asv-pr.ice.predix.io/oauth/token
var passport = require('passport');
var PredixLocalJWTStrategy = require('passport-predix-jwt').LocalValidationStrategy;
passport.use(new PredixLocalJWTStrategy({
uaaServiceName: 'uaa'
},
function (jwt_payload, done) {
// Get a user record and call it back
var user = Users.findByToken(jwt_payload);
done(null, user);
}
));
The strategy expects the following options to be set. uaaServiceName
or issuer
must be set.
uaaServiceName
- The name of the UAA service bound to your app in CloudFoundry. By using service discovery, you can easily change UAA instances without changing your application (recommended).issuer
- The IssuerId URI of your UAA service, as a string. Ex:https://46995891-525c-41a3-b46b-a31e93db2eeb.predix-uaa.run.asv-pr.ice.predix.io/oauth/token
clientId
- Required. Your Client ID with the UAA service. Needed to call/check_token
clientSecret
- Required. Your Client secret with the UAA service. Needed to call/check_token
opts
- Additional parameters for remote validation.ttl
- The maximum amount of time, in seconds, to cache a validated token in memory for. If 0, does not cache.Default: 0
useCache
- Whether or not to look in the cache for a previously validated token.Default: true
var passport = require('passport');
var PredixRemoteJWTStrategy = require('passport-predix-jwt').RemoteValidationStrategy;
passport.use(new PredixRemoteJWTStrategy({
uaaServiceName: 'uaa',
clientId: 'myClient',
clientSecret: 'mySecret',
opts: { ttl: 2*60*60,
useCache: true
}
},
function (jwt_payload, done) {
// Get a user record and call it back
var user = Users.findByToken(jwt_payload);
done(null, user);
}
));
Use passport.authenticate()
, specifying the predix-local-jwt
or predix-remote-jwt
strategy, to
authenticate requests.
For example, as route middleware in an Express application:
app.get('/auth/example', passport.authenticate('predix-remote-jwt'));