oe-component-passport
v2.3.0
Published
oe-cloud module to initialize passport component supporting regular strategies and JWT as access token
Downloads
23
Readme
oe-component-passport
This project implements multiple authentication capability provided by passportjs.
Pre-requisites
- oe-cloud
- oe-logger
- loopback-component-passport
- Configure model-config.json of application with UserIdentity and UserCredential with proper datasource as per application's datasource configuration
Features
- Local and 3rd party authentication support (like Facebook, google oauth authentication)
- JWT authentication support
- JWT as access_token
- Configurable "Cookie" generation with users/login api (set ENABLE_COOKIE=true)
- Parameterized providers.json
Difference from previous version of oe-cloud
- All extented models - BaseUser, BaseRole, BaseUserRoleMapping etc has been removed.
- Depricated custom functions, like password compelxity, account lockout (as result of point 1)
- removal of custom cookies (default cookie of passportjs remains)
- Standardized with loopback authentication.
- Depricated use of custom headers for authentication (like x-jwt-assertion)
- Depricated trusted app - this feature can be used by creating service account user in normal User model and use this account for external app login
Usage and Example
Usage of this module needs an entry in package.json and also an entry to application's app-list.json
{
"path": "oe-component-passport",
"enabled": true
},
Inside your application, authentication can be done using "/User/login" or "/auth/local" which returns access_token as payload and in cookie if configured.
Configure model-config.json
Add UserIdentity and UserCredential models in your application's model-config.json (in your application's server directory) with correct dataSource name. Also set public true or false depending on your requirement to expose those as REST API or not.
"UserCredential": {
"dataSource": "db",
"public": false
},
"UserIdentity": {
"dataSource": "db",
"public": false
}
Parameterized providers.json
You can write providers json like this where you can parameterise a value like ${variable_name}
{
"local": {
"provider": "local",
"module": "passport-local",
"usernameField": "${userfieldname}",
"passwordField": "${PASSWORD_FIELD_NAME}",
"authPath": "/auth/local",
"successRedirect": "/explorer",
"failureRedirect": "/login",
"failureFlash": false,
"callbackHTTPMethod": "post",
"setAccessToken": true
}
}
In above example, usernameField value would be set to value of environment (or configuration) variable 'userfieldname' and passwordField value would be from environment (or configuration) variable 'PASSWORD_FIELD_NAME'. If those environmental variables are not set or not in configuration, '' (blank string) would be assigned.
Finacle SSO JWT
To use the application with finacle SSO JWT, check "/test" folder provider.js example for custom callback.
To make Finacle SSO JWT to work wihtout login in to your application (JWT generated from Finacle SSO in another app) you need to enable and set environment variables
Finacle SSO's JWT is expected to be directly passed in "Authorization" header or "authorization" signed cookie for any API call - only to those which comes under restApiRoot
path configured in config.js(or config.json or respective config file of each environment e.g. config.production.json).
Environment variables
SECRET_OR_KEY or PUBLIC_KEY should be fininfra's public key as base64 string (should be properly formated and the public key) ENABLE_FINACLE_SSO_JWT set to true
How to get public key
Get public key for jwt verify from cacerts and key.jks comes with fininfra (docker image)
keytool -importkeystore -srckeystore key.jks -destkeystore finaclesso.p12 -srcstoretype jks -deststoretype pkcs12
keytool -exportcert -alias finacle -keystore key.jks | openssl x509 -inform DER >cert.pem
Please note, all values (URLs) in providers.js(json) for fininfra entries are case sensitive and should be all small. Also, in provider.js(json) use same case which is used in Finacle SSO resource entry for Startup URL, Logout URL, client_id and client_secret.
JWT_FOR_ACCESS_TOKEN
To improve performance JWT can be used as access token. to enable that, set following environmental variable
SECRET_OR_KEY = 'secret'
JWT_FOR_ACCESS_TOKEN = true;
SECRET_OR_KEY could be any secret consisting alphanumeric value. If JWT_FOR_ACCESS_TOKEN is set true, and finacle sso also needs to be used, set finacle certificate to PUBLIC_KEY
Please note that this implementation of JWT just replaces generic access-token with JWT and saves checking user id from database for api every request that needs authentication (ACL).
To implement custom JWT payload to have user roles(to use in ACL varification) and other details; override User.login function along with User.prototype.createAccessToken and AccessToken.resolve
For any other login related customization, like password complexity, password history etc; please extend User model and add customized code in extended model (some example available in oe-demo-app)
The certificate format should be similar to this
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiUdFD5LPHdPKpSD+HpLzkfN6/
y0BDAbyo2srzBhQl81oqg+HPI/03jOsWs0cP0uS0eZOmrrlujLfbG+R3WKN5xPvB
brOBBA7N8axDRRZWoWkEX3KX2vaUfAxfQNp3tUhegliHtrLVPyutnowlY3f7/TzX
JbEND/PONc0VpaEf4wIDAQAB
-----END PUBLIC KEY-----