Securing Node JS API with JWT Token + Shibboleth SSO

Question

My Question: How do I Secure my Node JS API with JWT Token having Shibboleth SSO as the Authentication mechanism?

[MY APPLICATION FLOW]

• I have an AngularJS App and a Back-End Node JS App.
• AngularJS App communicates with the Back-End App through API's exposed over HTTP.
• Now the Authentication in AngularJS App is achieved using Shibboleth SSO which is working perfectly fine.
• In Shibboleth SSO, the User is getting authenticated against an IDP and hence I don't have the control during the Login mechanism. In other words, IDP is out of my control.
• Once authenticated, Shibboleth returns the required Data about the User to the AngularJS App.
• And then the AngularJS App communicates with the Back-End App through API to fetch some Data.

---

[NORMAL JWT SCENARIO TO SECURE API]

• The user attempts Login from Front-End App which will call a Login API at the Back-End by sending Username and Password.
• At Back-End, if the User exists, the Back-End generates a JWT Token and send it back to the User.
• The User will utilize that JWT Token to make further API calls. And the Back-End can verify the Token and respond appropriately.
• Hence Securing the API and preventing unauthorized access.

---

[MY JWT SCENARIO AND PROBLEM]

• When the User will arrive at Front-End AngularJS App, the User would have already been authenticated.
• And now the AngularJS App will make some API calls to the Back-End for some data.
• [Problem/Question]: How do I secure my Back-End API from Unauthorized Access?

---

[AN APPROACH WITH A FLAW]

• [Approach]: I can create a Login API in my Node JS App which will accept Username and Password that I have received from Shibboleth SSO and generate a JWT Token at the Back-End. And make the Back-End return that JWT Token as a Response. Which can be further utilized by the User to make API calls.
• [Flaw]: But the Problem with this Approach is: How do I authenticate the legitimacy of the Username and Password that I am receiving from the Front-End?

---

So again My Question is: How do I Secure my Node JS API with JWT Token having Shibboleth SSO as the Authentication mechanism?

---

I hope, I might have explained my scenario properly. Any help, guidance, or a right direction will be appreciated.

Thanks :)

Answer 1

The [NORMAL JWT SCENARIO TO SECURE API] strategy is explained in this article: https://medium.com/front-end-weekly/learn-using-jwt-with-passport-authentication-9761539c4314.

Assuming you use a library like Node Express to implement your API resource endpoints, you can make use of an application middleware like Passport that handles authentication and restricts access to resources only for clients in possession of a valid JWT token:

• The NodeJS back-end app implements a local Passport strategy based on username and password, and the logic to generate and sign the JWT token.
• The AngularJS app calls the /login endpoint on the back-end and is provided with a JWT token.
• The AngularJS app includes the JWT token in any of the subsequent requests made towards the protected resource endpoints.

At this moment we introduce [MY JWT SCENARIO AND PROBLEM]: when the user reaches the AngularJS app, he is already authenticated by Shibboleth SSO. And you want to ensure that he cannot go out of the SSO context by allowing the AngularJS app to provide its own username / password to the NodeJS back-end.

That requires a trusted way to validate the SAML2 assertion provided to the AngularJS app by the IdP in the NodeJS back-end. Per the SAML description available at https://community.apigee.com/articles/33625/saml-20-vs-jwt-understanding-federated-identity-an.html, that requires trust to be established between the NodeJS back-end and the IDP such that the back-end can validate the SAML assertion provided by the AngularJS app.

For that I inspired my theoretical answer from this article: https://wiki.library.ucsf.edu/spaces/flyingpdf/pdfpageexport.action?pageId=361762610. It basically extends the JWT-token implementation already discussed above as follows:

• Include a passport-saml strategy in order to communicate with Shibboleth SSO for SAML2 assertion validation and register the NodeJS back-end as a SP to the IdP (see the Provide SP metadata to IDP section in the above link).
• Remove the original /login endpoint protected by the local strategy, as we do not wish to allow unverified username / password logins.
• Create an /ssologin endpoint in the NodeJS back-end and protect access to the route with Passport authentication using the SAML strategy. The AngularJS app will call this endpoint and pass the SAML2 assertion as part of the attempt to access it.
• Implement the action for the /ssologin route. This will only be called if the SAML2 assertion has been validated by the NodeJS app against the Shibboleth SSO (IdP). You can now use information from the SAML assertion to generate the JWT token in the back-end and return it to the AngularJS app.
• All other resource endpoints remain protected with the JWT Passport strategy. The AngularJS app needs to send the JWT token every time it wants to access them.

Hope it helps in devising a definitive solution.