passport-openidconnect
passport-openidconnect copied to clipboard
jaredhanson
Working Sample
This is a question. Does anybody have a working sample of using this? I have a openid connect auth server in place using another tech and I'd like to use this lib to connect to it with an outside nodejs app. A sample would be handy. Thanks!
I got it to work after a few tweaks, what are you having an issue with specifically?
The only issue is myself. :)
I haven't used passport much and I was hoping for a quick and dirty I could slap into place to give it a shot. I thought it might be something that could benefit others as well.
Thanks!
Check out the examples for passport-local (https://github.com/jaredhanson/passport-local) and then it should just be case of changing the options for your strategy. The thing I had an issue with was the call to self._verify in the getOAuthAccessToken function of the strategy. Make sure this aligned with your passport.use callback in your app.
I'm struggling with this quite a bit. I've nabbed the passport-local example and I've started going through it but there are some basics I don't understand.
var OidcStrategy = require('passport-openidconnect').Strategy;
I've setup the strategy in passport by doing the following.
passport.use(new OidcStrategy({ authorizationURL: 'my-auth-endpoint', tokenURL: 'my-token-endpoint', userInfoURL: 'my-user-info-endpoint', clientID: 'my-client', clientSecret: 'my-client-secret', callbackURL: '/callback' }, verify));
I think this chunk needs to be modified to go out to the openid connect server I am trying to use for auth.
app.get('/login', passport.authenticate('local', { failureRedirect: '/login', failureFlash: true }), function(req, res) { res.redirect('/'); });
At this point, I am not quite sure how to modify this to properly interact with passport-openidconnect. I am getting confused at the point of calling the authenticate middleware.
I thought maybe I could simply call authenticate and it would attempt to hit my auth endpoint. Perhaps like this.
app.get('/login', passport.authenticate() );
This is resulting in a 401 without even trying to go out to the auth endpoint I specified.
Any advice?
In this snippet of code:
app.get('/login', passport.authenticate('local', { failureRedirect: '/login', failureFlash: true }), function(req, res) { res.redirect('/'); });
passport.authenticate('local'... should be passport.authenticate('passport-openidconnect'...
I think I'm still missing something fundamental. Here's my script.
var OidcStrategy = require('passport-openidconnect').Strategy;
passport.use(new OidcStrategy({ authorizationURL: baseAuthUrl + '/id/conn/auth', tokenURL: baseAuthUrl + '/id/conn/token', userInfoURL: baseAuthUrl + '/id/conn/userinfo', clientID: 'fakeClient', clientSecret: 'fakeSecret', callbackURL: '/authorize' });
app.get('/login', passport.authenticate('passport-openidconnect', { failureRedirect: '/login', failureFlash: true }), function(req, res) { console.log('verify hit');
res.redirect('/');
});
When I hit /login it will tell me this:
Error: Unknown authentication strategy "passport-openidconnect" at attempt (C:\nodeoidc\node_modules\passport\lib\middleware\authenticate.js:166:37) at authenticate (C:\nodeoidc\node_modules\passport\lib\middleware\authenticate.js:342:7) at Layer.handle as handle_request at next (C:\nodeoidc\node_modules\express\lib\router\route.js:110:13) at Route.dispatch (C:\nodeoidc\node_modules\express\lib\router\route.js:91:3) at Layer.handle as handle_request at C:\nodeoidc\node_modules\express\lib\router\index.js:267:22 at Function.proto.process_params (C:\nodeoidc\node_modules\express\lib\router\index.js:321:12) at next (C:\nodeoidc\node_modules\express\lib\router\index.js:261:10) at SendStream.error (C:\nodeoidc\node_modules\express\node_modules\serve-static\index.js:107:7)
Corey,
Try this (changing passport-openidconnect to openidconnect):
app.get('/login', passport.authenticate('openidconnect', { failureRedirect: '/login', failureFlash: true }), function(req, res) { console.log('verify hit'); res.redirect('/'); });
That did it! I was redirected to my auth server which reported an invalid response because I don't yet have "code" allowed as a response type.
It looks like "code" is hard-coded into the source, know if there are any plans to support other response types?
Good news. Just create your own local module and base it on passport-openidconnect then you can change it to whatever you like. Check the openid-connect specs for the different flows.
@coreyperkins @jasps When you write:
passport.use(new OidcStrategy({
authorizationURL: 'my-auth-endpoint',
tokenURL: 'my-token-endpoint',
userInfoURL: 'my-user-info-endpoint',
clientID: 'my-client',
clientSecret: 'my-client-secret',
callbackURL: '/callback'
}, verify));
Whay exactly is that function verify? If I don't pass it as a parameter then I got an error.
This is the function that will capture your profile, claims etc. You need it. In this function, you will usually pull the relevant user from a database and return that user or a sub-set of user attributes, which is what I do. This is what passport will serialize in the session.
Thanks @jasps for that fast reply. I understand now. Do u have a working example of this function?.
Not that would help you I'm afraid. Check the samples. There is one that pulls a user from MongoDB.
Thanks anyways man! @jasps I ended up with this function, it works.
function (iss, sub, profile, done) {
User.find({ email: profile._json.email }, function (err, docs) {
if (docs.length == 0) {
var user = new User({ email: profile._json.email });
user.save();
return done(err, user);
} else {
return done(err, docs[0]);
}
});
}
Tested against django-oidc-provider.
@jasps What did you do to fix the verify callback?
The thing I had an issue with was the call to self._verify in the getOAuthAccessToken function of the strategy. Make sure this aligned with your passport.use callback in your app.
My verify callback is not getting called either.
Is there any update or workaround for the response_type? It is still hard coded to "code" and it would be nice to have "id_token token". Please let us know of any alternate solutions.
@whindes I used https://github.com/panva/node-openid-client for that and it works great.
I am trying to integrate this with my sample node js project...but I am not able to understand how to invoke this...since I am getting the below error when I call this:
TypeError: Parameter "url" must be a string, not undefined (at the below line in the strategy.js of this lib) this._key = options.sessionKey || (this.name + ':' + url.parse(options.authorizationURL).hostname);
I am passing all these parameters: authorizationURL: 'my-auth-endpoint', tokenURL: 'my-token-endpoint', userInfoURL: 'my-user-info-endpoint', clientID: 'my-client', clientSecret: 'my-client-secret', callbackURL: '/callback'
can someone let me know...what I am doing wrong? Any help appreciated...Thanks!
First guess is that the values you are passing are 'my-auth-endpoint' instead of the URL to your OAuth/OpenId server.
@barnaby33 : did you find a code snippet for using the token/implicit flow?
Actually I don't remember. This was almost a year ago for me. I believe I did or rather pieced one together, but don't have a link. Josh On Tuesday, January 2, 2018, 3:57:59 AM PST, François [email protected] wrote:
@barnaby33 : did you find a code snippet for using the token/implicit flow?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.