Skip to content

Passport strategy for validating JWTs issued from Predix UAA instances

Notifications You must be signed in to change notification settings

tim-hutchinson/passport-predix-jwt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

passport-predix-jwt

Passport strategy for validating JWTs issued from Predix UAA instances.

This strategy validates a JWT passed as a bearer token in the Authorization header against a specified UAA instance and is targeted at protecting API endpoints served by Node.JS applications. There is currently one strategy completed, RemoteValidationStrategy, with a LocalValidationStrategy on the roadmap.

The RemoteValidationStrategy authenticates by checking the token against the app's cache or UAA's check_token endpoint. Remote validation adds additional requests against your auth server, but lets you validate opaque tokens and check if the token has been revoked. For more information see the Predix UAA docs.

Installation

npm install git+https://github.com/tim-hutchinson/passport-predix-jwt.git

Usage

LocalValidationStrategy

Configure strategy

The strategy expects 1 of 2 options to be set:

  • uaaServiceName - The name of the UAA service bound to your app in CloudFoundry. By using service discovery, you can easily change UAA instances without changing your application (recommended).
  • issuer - The IssuerId URI of your UAA service, as a string. Ex: https://46995891-525c-41a3-b46b-a31e93db2eeb.predix-uaa.run.asv-pr.ice.predix.io/oauth/token
var passport = require('passport');
var PredixLocalJWTStrategy = require('passport-predix-jwt').LocalValidationStrategy;

passport.use(new PredixLocalJWTStrategy({
        uaaServiceName: 'uaa'
    }, 
    function (jwt_payload, done) {
        // Get a user record and call it back
        var user = Users.findByToken(jwt_payload);
        done(null, user);
    }
));

RemoteValidationStrategy

Configure strategy

The strategy expects the following options to be set. uaaServiceName or issuer must be set.

  • uaaServiceName - The name of the UAA service bound to your app in CloudFoundry. By using service discovery, you can easily change UAA instances without changing your application (recommended).
  • issuer - The IssuerId URI of your UAA service, as a string. Ex: https://46995891-525c-41a3-b46b-a31e93db2eeb.predix-uaa.run.asv-pr.ice.predix.io/oauth/token
  • clientId - Required. Your Client ID with the UAA service. Needed to call /check_token
  • clientSecret - Required. Your Client secret with the UAA service. Needed to call /check_token
  • opts - Additional parameters for remote validation.
    • ttl - The maximum amount of time, in seconds, to cache a validated token in memory for. If 0, does not cache. Default: 0
    • useCache - Whether or not to look in the cache for a previously validated token. Default: true
var passport = require('passport');
var PredixRemoteJWTStrategy = require('passport-predix-jwt').RemoteValidationStrategy;

passport.use(new PredixRemoteJWTStrategy({
        uaaServiceName: 'uaa',
        clientId: 'myClient',
        clientSecret: 'mySecret',
        opts: { ttl: 2*60*60, 
                useCache: true 
            }
    }, 
    function (jwt_payload, done) {
        // Get a user record and call it back
        var user = Users.findByToken(jwt_payload);
        done(null, user);
    }
));

Authenticating Users

Use passport.authenticate(), specifying the predix-local-jwt or predix-remote-jwt strategy, to authenticate requests.

For example, as route middleware in an Express application:

app.get('/auth/example', passport.authenticate('predix-remote-jwt'));

About

Passport strategy for validating JWTs issued from Predix UAA instances

Resources

Stars

Watchers

Forks

Packages

No packages published