npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

bms-mca-token-validation-strategy

v2.0.11

Published

The bms-mca-token-validation-strategy module provides the passport strategy and verification method to validate the access token and id token issues by a Mobile Client Access service.

Downloads

14

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

appid.productionappid.productionrotembrrotembrbluemixmobileservicesbluemixmobileservices

Keywords

Readme

IBM Bluemix Mobile Services - Mobile Client Access Passport Strategies

Mobile Client Access service allows to protect your backend applications with a mobile enabled OAuth security.

The bms-mca-token-validation-strategy module provides the passport strategy and verification method to validate the access token and id token issues by a Mobile Client Access.

Strategies

MCABackendStrategy

passport.use(new MCABackendStrategy(options));

The options parameter is optional. If specified, it can contain:

  • cacheSize The cache size, the default value is 10000;

The MCABackendStrategy is used for a backend application that is deployed on IBM Bluemix. It will validate the authorization header from an incoming request against the MCA server url specified in the VCAP_SERVICES variable, where the service name starts with AppID, for the appId extracted from VCAP_APPLICATION.

MCAResourceStrategy

passport.use(new MCAResourceStrategy(options));

The options parameter is optional. If specified, it can contain:

  • appId Optional. Specifies the application id for which the authorization will be validated.
  • applicationIdProvider Optional. Specifies a mechanism to obtain the application id by calling the function applicationIdProvider(request). The MCAResourceStrategy will try to get the application id from the options appId first, then by calling the method applicationIdProvider; if neither of these options are specified, the application id will be obtained from the request url.
  • serverUrl Specifies the IBM MobileFirst server URL from which the public key will be retrieved to verify the authorization header.
  • cacheSize The cache size, the default value is 10000.

Instead of defining the above optional appId,applicationIdProvider or serverUrl in the options parameter of the MCAResourceStrategy constructor, you can also specify them in the options of the passport.authenticate() method. No matter where these three options are specified, the application id and serverUrl are mandatory, otherwise an error 400 will occur.

Sample

The following sample code shows how to use MCABackendStrategy in a Node.js application:

Start by making sure that you have installed all the required modules

$ npm install -save express
$ npm install -save passport
$ npm install -save bms-mca-token-validation-strategy

Add the below code to your Node.js application

var express = require('express');
var passport = require('passport');
var MCABackendStrategy = require('bms-mca-token-validation-strategy').MCABackendStrategy;

passport.use(new MCABackendStrategy());

var app = express();
app.use(passport.initialize());

app.get('/v1/apps/:appid/service', passport.authenticate('mca-backend-strategy', {session: false }),
	function(req, res){
		res.send(200, "Success!");
	}
);

app.listen(3000);

Authorization header

The authorization header in the request consist of three parts Bearer, Access Token and Id Token that are separated by a white space: Bearer <Access Token> <Id Token>

For bms-mca-token-validation-strategy, <Access Token> is mandatory and <Id Token> is optional. The validation works as follows:

  • It will verify the signature of the access token and id token, as well as their exp field.
  • It requires that aud be the same as the application id for which the authorization is validated.
  • It requires that the authorization header start with Bearer, otherwise a 400 error will be returned, with the response header WWW-Authenticate: Bearer realm="imfAuthentication".
  • If the access token or id token is invalid, for example, they have expired or cannot be decodes, validation will return a 401 error, with the response header WWW-Authenticate: Bearer realm="imfAuthentication", error="invalid_token".

Mobile Client Access security context

After the authorization validation has passed, a security context object is added in the current request object. You can get a reference to it by calling request.securityContenxt The security context contains the subject, user, device and the application information stored in the below fields:

  • imf.sub The subject of the id token or the unique id of the client if there is no id token.
  • imf.user The user identity extracted from the id token. If there is no id token, this field holds a blank object.
  • imf.device The device identity extracted from the id token. If there is no id token, this field holds a blank object.
  • imf.application The application identity extracted from the id token. If there is no id token, this field holds a blank object.

The imf.user field in the security context is extracted as the user object in passport framework. See sample below

app.get('/v1/apps/:appid/service', passport.authenticate('mca-backend-strategy', {session: false }),
	function(req, res){
		res.send(200, req.securityContext);
	}
);

The above code would return


{ 
	"imf.sub":"myclientid",
	"imf.user": {
		"id":"user-name",
		"authBy":"myrealm",
		"displayName":"display-name"
	},
	"imf.device": {
		"id":"device-id",
		"platform":"iOSnative",
		"model":"device-model",
		"osVersion":"device-os"
	},
	"imf.application": {
		"id":"ios.bundle.id",
		"version":"1.0"
	}
}

License

This package contains sample code provided in source code form. The samples are licensed under the under the Apache License, Version 2.0 (the "License"). You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 and may also view the license in the license.txt file within this package. Also see the notices.txt file within this package for additional notices.