Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Identity Server 4 for NodeJS API

I'm trying to figure out how to do the identity server 4 authentication below using NodeJS - way out of my comfort zone here.

services.AddAuthentication(IdentityServerAuthenticationDefaults
.AuthenticationScheme)
    .AddIdentityServerAuthentication(
         options =>
         {
          options.Authority = "<authority-url>";
          options.ApiName = "<api-url>";
          });

I'm missing something in the flow here as the C# implementation isn't provided a secret or similar - so the token is probably verified via identity server? How would I verify the token using NodeJS if I don't have a 'secret' to verify it with?

I've stumbled on introspection endpoint - am I heading in the right direction?

like image 716
Kim Lindqvist Avatar asked Dec 26 '17 19:12

Kim Lindqvist


People also ask

Is Identity server 4 still free?

About IdentityServer4IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

Is IdentityServer paid?

The IdentityServer4 open-source team have migrated to the now commercial Duende IdentityServer. To use Duende IdentityServer in production, you will need to purchase their annual license. Some caveats, such as total revenue under $1 million USD or being a charity, enable the license's usage at free/minimal cost.

When should I use Identity server?

It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints. IdentityServer can be used to implement Single Sign-On (SSO) for multiple applications and application types.

How does the identityserver web API work?

The user will login to IdentityServer, invoke the web API with an access token issued by IdentityServer, and logout of IdentityServer. All of this will be driven from the JavaScript running in the browser.

How do I set up a JavaScript application in identityserver?

In the IdentityServer project locate the client configuration (in Config.cs ). Add a new Client to the list for our new JavaScript application. It should have the configuration listed below: One last bit of configuration that is necessary is to configure CORS in the web API project.

Is identityserver a framework or a product?

Since IdentityServer is a framework and not a boxed product or a SaaS, you can write code to adapt the system the way it makes sense for your scenarios. IdentityServer uses the permissive Apache 2 license that allows building commercial products on top of it. It is also part of the .NET Foundation which provides governance and legal backing.

Is identityserver a SaaS?

Since IdentityServer is a framework and not a boxed product or a SaaS, you can write code to adapt the system the way it makes sense for your scenarios. IdentityServer uses the permissive Apache 2 license that allows building commercial products on top of it.


2 Answers

I was able to solve this using the jwks -endpoint and it's public keys to verify tokens and then I also found a nice package that I used to prepare the middleware:

private issuer: string = process.env.idsrv;


auth = jwt({
    secret: jwksClient.expressJwtSecret({
        cache: true,        // see https://github.com/auth0/node-jwks-rsa#caching,
        cacheMaxAge: ms('24h'),
        rateLimit: true,    // see https://github.com/auth0/node-jwks-rsa#rate-limiting
        jwksRequestsPerMinute: 100,
        jwksUri: `${this.issuer}/.well-known/jwks`
    }),

    // validate the audience & issuer from received token vs JWKS endpoint
    audience: `${this.issuer}/resources`,
    issuer: this.issuer,
    algorithms: ["RS256"]
});
like image 58
Kim Lindqvist Avatar answered Nov 15 '22 11:11

Kim Lindqvist


The accepted question is right. but i wanted to fix some of it's trial errors. you can easily (it took me 4 days) add authentication to your express api with ids4. it's how its work:

creating a middleware:

const jwt = require("express-jwt"),
jwksClient = require("jwks-rsa");

const auth = jwt({
  secret: jwksClient.expressJwtSecret({
    cache: true, // see https://github.com/auth0/node-jwks-rsa#caching
    rateLimit: true, // see https://github.com/auth0/node-jwks-rsa#rate-limiting
    jwksRequestsPerMinute: 2,
    jwksUri: `${issuer}/.well-known/openid-configuration/jwks`,
  }),

  audience: "api1.resource", // <---- its your api resource.
  issuer: issuer, // <----- address of identityserver4.
  algorithms: ["RS256"], //<----- its needed algorithm to handle secret.
});

The following auth middleware is like following code in .net:

services.AddAuthentication(IdentityServerAuthenticationDefaults
.AuthenticationScheme)
    .AddIdentityServerAuthentication(
         options =>
         {
          options.Authority = "<authority-url>";
          options.ApiName = "<api-url>";
          });

to secure a nodejs route you can use following example:

// this is the secured route by identityserver4
// the jwt module set the ids4 auth result in req.user object
// so you can use it to access logged in user claims and stuff.
// for example testing with client credentials it return some info about the jwt token sent to the /me endpoint.
app.get("/me", auth, (req, res) => {
  const user = req.user;
  debug("req.user: %O", user);

  return res.json(user);
});

// this a unsecured route. so anyone can call this route without any restrictions.
app.get("/", (req, res) => {
  return res.send("Hello");
});

It takes me so long to find how to secure nodejs or express with identityserver4 but it was as simple as it look like.

The code here is from the following identityserver4 community example with full ids4 and node api and javascript client and .net console client: https://github.com/lyphtec/idsvr4-node-jwks

There is a good documentation about this example in its own github repository too.

You can download the node api and run it with yarn start or npm run start.

I tested it with client credentials flow and it worked like a charm.

Wish all of you luck.

like image 37
Nima Maskani Avatar answered Nov 15 '22 12:11

Nima Maskani