npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@kth/kth-node-passport-oidc

v5.2.0

Published

OpenId Connect Express middleware, strategy and utils

Downloads

1,559

Readme

KTH Node Passport OpenID Connect

Simple and configurable package for OpenID Connect authentication. Based on node-openid-client and gives you Express middleware based on Passport.

Quick start

$ npm install @kth/kth-node-passport-oidc
const { OpenIDConnect, hasGroup } = require('@kth/kth-node-passport-oidc')

const oidc = new OpenIDConnect(server, passport, {
  ...config.oidc,
  appCallbackLoginUrl: _addProxy('/auth/login/callback'),
  appCallbackLogoutUrl: _addProxy('/auth/logout/callback'),
  appCallbackSilentLoginUrl: _addProxy('/auth/silent/callback'),
  defaultRedirect: _addProxy(''),
  extendUser: (user, claims) => {
    user.isAdmin = hasGroup(config.auth.adminGroup, user)
  },
  log,
})

// And use the middleware with your routes
appRoute.get('node.page', _addProxy('/silent'), oidc.silentLogin, Sample.getIndex)
appRoute.get('node.index', _addProxy('/'), oidc.login, Sample.getIndex)

The basics

There are three basic OIDC functions

login

A normal login. Use this middleware to force the user to login into the OpenID Connect server.

After a successful login a user object can be found in req.user.

If not, the user may not visit the route

silentLogin

A silent login. Basically the user is allowed to be anonymous.

Use this middleware to check if the user is logged into the OpenID Connect server.

If the user is logged in a user object can be found in req.user.

If not, the user is anonymous and the req.user will be undefined. The silent login will occur again after anonymousCookieMaxAge expires.

logout

Logs out the user from both the OpenID Connect server and this app.

Configuration

Configuration for each OIDC function comes in pairs. A pair consist of the same URL in two different formats.

One that is configured directly into the OpenID Connect client and the other is used to set up the URL in our app through a Express route.

These URLs are used by the OpenID Connect server to communicate with our app during authentication.

Note: Only the login configuration is required but you will most likely want at least also the logout

req.user

On a successful login passport will add a user object on the request object. By default this object will have the following properties:

| Property | Type | Example | Description | | ----------- | ------ | ------------------------------------- | ---------------------------------------------------------------------- | | username | string | johnd | KTH Username | | displayName | string | John Doe | Users full name | | email | string | | KTH email address. This requires higher security clearance | | memberOf | array | ['app.myApp.user', 'app.myApp.admin'] | Groups connected to this user. This requires higher security clearance |

If you would like to add properties to the user object you can do this by adding a function called extendUser when instantiating OpenIDConnect. The function can also be async.

The function makes changes directly to the user object and must have this signature:

;(user, claims) => {
  user.isAwesome = true
}

The claims argument is the full response from the OpenID Connect server

Parameters

| Param | Type | Description | | --------------------------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | expressApp | Object | The express app instance | | passport | Object | The passport instance | | config | Object | Configuration object | | config.configurationUrl | string | Url to OpenID Connect server Example: https://myOpenIDServer.com/adfs/.well-known/openid-configuration | | config.clientId | string | This apps clientID | | config.clientSecret | string | This apps client secret | | config.tokenSecret | string | This apps token secret, used for encrypting token for session storage | | config.callbackLoginUrl | string | This apps full URL to callback function for standard login. Example: http://localhost:3000/node/auth/login/callback | | config.callbackLoginRoute | string | The callback route used for setting up the express route. Same as config.callbackUrl without host. Example: /node/auth/login/callback | | [config.callbackSilentLoginUrl] | string | Optional This apps full URL to callback function for silent login. Example: http://localhost:3000/node/auth/silent/callback | | [config.callbackSilentLoginRoute] | string | Optional The silent callback route used for setting up the express route. Same as config.callbackUrl without host. Example: /node/auth/silent/callback | | [config.callbackLogoutUrl] | string | Optional This apps full URL to callback function for logout. Example: http://localhost:3000/node/auth/logout/callback | | [config.callbackLogoutRoute] | string | Optional The logout callback route used for setting up the express route. Same as config.callbackUrl without host. Example: /node/auth/logout/callback | | config.defaultRedirect | string | Fallback if no next url is supplied to login or on logout | | [config.extendUser] | function | Optional Function which gives you the possibility to add custom properties to the user object. The supplied function can be a async. Example: (user, claims) => { user.isAwesome = true } or async (user, claims) => { // do a api call } | | [config.log] | Object | Optional Logger object which should have logging functions. Used for logging in this module. Example: logger.error('Error message') | | [config.setIsOwner] | boolean | Optional flag with false as default. When used with requireRole, user object includes the property isOwner which is set to true only if req.parameter contains the same username as the logged in username. | | |

Properties on the created OIDC

login(req, res, next) ⇒ Promise.<Middleware>

Kind: global function
Summary: Check if the user it authenticated or else redirect to OpenID Connect server for authentication
Returns: Promise.<Middleware> - A promise which resolves to a middleware which ensures a logged in user

| Param | Type | Description | | ----- | --------------------- | -------------------------------- | | req | Object | Express request object | | res | Object | Express response object | | next | function | Express next middleware function |

Example

oidc.login

silentLogin(req, res, next) ⇒ Promise.<Middleware>

Kind: global function
Summary: Check if the user is anonymous or authenticated, known as a "silent login" for authentication
Returns: Promise.<Middleware> - A promise which resolves to a middleware which ensures a silent authenticated user

| Param | Type | Description | | ----- | --------------------- | -------------------------------- | | req | Object | Express request object | | res | Object | Express response object | | next | function | Express next middleware function |

Example

oidc.silentLogin

logout(req, res) ⇒ Promise.<Middleware>

Kind: global function
Summary: Express Middleware that logs out the user from both the OpenID Connect server and this app. Note: The user is redirected to the config.defaultRedirect after a successful logout.
Returns: Promise.<Middleware> - A promise which resolves to a middleware which logs out the current user

| Param | Type | Description | | ----- | ------------------- | ----------------------- | | req | Object | Express request object | | res | Object | Express response object |

Example

oidc.logout

requireRole(roles) ⇒ Middleware

Kind: global function
Summary: Express Middleware that checks if the req.user has this/these roles.
Returns: Middleware - A Express middleware

A role is a property found on the user object and has most likely been added through the optional extendUser function parameter. @see {config.extendUser}
Api: public

| Param | Type | Description | | ----- | --------------------------------- | ------------------------------------------------------------------ | | roles | Array.<string> | Array of roles to be compared with the ones on the req.user object |

Example

oidc.requireRole('isAdmin', 'isEditor')

Versions and Migrating

v4

Important: SilentLogin now uses the toolbar cookie KTH_SSO_START for deciding if the user should be silently logged in.

Basically: if the cookie exists we will try to silently login in the user.

This eliminates a strange behavior for our users. Most users considers the Social toolbar as the main place to log in into KTH. But if they used one app before they logged into the toolbar, a session was already created in that app which was anonymous.

By letting the app know, through the KTH_SSO_START cookie, that it should try again to log in the user, we get a better flow for the user.

v3

Changes how the data in the session is stored during login.

v2

Changes how the data in the session is stored during login. Also adds the possibility to configure a logger which can be used to debug.

v1

The original :-)

Troubleshooting

I get a 403 Unauthorized when trying to login

If you get this message after you logged into the ADFS server it might be that your applications local time differs from the one on the ADFS server.

After you logged in, the client (browser) is trying to call the callback-route in your application.

The reason for this is that the JWT information contains a timestamp. If the timestamp differs to much the JWT will be refused and you get a 403.

Check your time settings. Are you synching with a time server? Try to change this to ntp.kth.se

Handling multiple simultaneous requests

If your app gets multiple simultaneous requests it will break. This is mainly because our session store does not work well with multiple app instances. It can overwrite session data if requests reach the two app instances at the same time.

And since we store ongoing auth information in the session, it will break most of the time. The last request will most likely succeed.

One way to handle this is to ensure that a login has been made before all the requests are made.

Example

This solution is currently used in directory-web and files-web.

In Directory-web, the app that makes multiple calls for avatar images, use this middleware on its public routes. It bounces the incoming page requests, if needed, against files-web.

Note: Working locally, localhost:3000 and so on, can be problematic. The KTH_SSO_START cookie has a domain set which will not work with localhost. One way is to simply create a "fake cookie" with the same name.

const bounceOnFiles = (req, res, next) => {
  const cookies = Object.keys(req.cookies)
  const filesAuthHandling = `${cookies.includes('files-web.sid')}${cookies.includes('KTH_SSO_START')}`

  // By adding the existence of the two cookies above we create a state. The state
  // shows if a files-cookie exists and if a KTH_SSO_START cookie exists. If the
  // state changes during calls we bounce against files-web again to get a correct state

  if (req.session.filesAuthHandling === filesAuthHandling) {
    return next()
  }

  req.session.filesAuthHandling = filesAuthHandling
  const nextUrl = encodeURIComponent(req.protocol + '://' + req.get('host') + req.originalUrl)
  // config.files.url = https://www-r.referens.sys.kth.se/files
  return res.redirect(`${config.files.url}/auth/silent/bounce?nextUrl=${nextUrl}`)
}

serverSettings.js

files: {
  url: getEnv('FILES_URL', devDefaults('http://localhost:3003/files')),
}

In Files-web, the app that serves avatar images has this routes which handles the bounce request. As you may notice there is a simple whitelisting of the accepted urls to be redirected.

const urlWhitelist = ['localhost', '.kth.se']

server.get(_addProxy('/auth/silent/bounce'), oidc.silentLogin, async (req, res, next) => {
  const nextUrl = req.query.nextUrl

  if (!nextUrl) {
    return res.status(400).send('Missing nextUrl param')
  }

  if (!urlWhitelist.find(whitelisted => nextUrl.includes(whitelisted))) {
    return res.status(400).send('Not an accepted url')
  }

  return res.redirect(nextUrl)
})

Development

  1. Clone the repo
    $ npm clone [email protected]:KTH/kth-node-passport-oidc.git
  2. Install dependencies
    $ npm install

Generate API documentation

This project includes a simple generation of Markdown documentation from the JS-doc in our code.

To run this:

$ npm run buildApiDocs

Now you have a api.md file in the root of the project. Use this to update the main README.md