JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 23
  • Score
    100M100P100Q69662F
  • License MIT

OpenID Connect Resource Server Authentication for Node.js

Package Exports

  • @solid/oidc-rs
  • @solid/oidc-rs/src/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@solid/oidc-rs) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

OpenID Connect Resource Server Authentication

OpenID Connect Resource Server Authentication for Node.js

Features

  • OAuth 2.0 Bearer Token Usage (RFC 6750)
  • JWT Access Token Validation (Specification pending)
  • Issuer discovery (OpenID Connect Discovery)
  • Dynamic key rotation (OpenID Connect Core)
  • Multiple issuer support
  • Scope validation
  • Allow and deny access by "iss", "aud", and "sub" claims

Usage

Install

$ npm install @solid/oidc-rs

Require

const ResourceServer = require('@solid/oidc-rs')

ResourceServer

ResourceServer maintains a cache of provider metadata and JSON Web Keys for verifying signatures. Provider discovery and acquisition of keys takes place when a JWT access token is decoded. The provider metadata and JWK Set are cached in memory. Therefore no configuration is required.

const rs = new ResourceServer()

The provider cache can be serialized and persisted, then restored like so:

const providers = require('./providers.json')
ResourceServer.from({providers}).then(rs => /* ... */)

Global server authentication

const app = express()
app.use(rs.authenticate(options))

Route specific configuration

app.get('/endpoint', rs.authenticate(options), (req, res, next) => {})

Middleware Options

No configuration is required in order to start using this middleware. All options are optional.

rs.authenticate({
  realm: 'user',
  scopes: ['foo', 'bar'],
  allow: {
    issuers: ['https://forge.anvil.io'],
    audience: ['clientid1', 'clientid2'],
    subjects: ['userid1', 'userid2', 'useridn']
  },
  deny: { // probably want to use either allow or deny, but not both
    issuers: ['https://forge.anvil.io'],
    audience: ['clientid1', 'clientid2'],
    subjects: ['userid1', 'userid2', 'useridn']
  },
  handleErrors: false, // defaults to true
  tokenProperty: 'token',
  claimsProperty: 'claims'
})
  • realm – Value of "realm" parameter to use in WWW-Authenticate challenge header.
  • scopes – Array of scope values required to access this resource.
  • allow – Object with arrays of allowed issuers, audience and subjects.
  • deny – Object with arrays of restricted issuers, audience and subjects.
  • handleErrors – When set to false, error conditions will result in a call to next(), passing control to the application's error handling.
  • tokenProperty – Name of property on req to assign decoded JWT object. The property will not be set unless defined.
  • claimsProperty – name of property on req to assign verified JWT claims. Defaults to "claims".

Running tests

Nodejs

$ npm test

MIT License

The MIT License

Copyright (c) 2016 Anvil Research, Inc. Copyright (c) 2017-2019 The Solid Project