Comments (14)
Hello all,
I have the same questions as @robtweed , I'm starting with oidc and I'm a bit lost after the "grant" step.
I have my issuer, my client and a tokenSet thanks to client.grant.
I have a ReactJS app which received the access token from my server, and send it back with each requests.
Now I'm not sure about the steps to follow on the server when I receive the access token from my React app. I need a way to verify the token and get the user infos from it. I have a hard time understanding the difference between using client.introspect(token)
from this library, or using jwt.verify(token)
from auth0's library.
Ideally I would like to verify the token without having to call my issuer (Keycloak) on each request (or is it a normal workflow to call it on each request?), in a stateless way (no session, just from the token itself + the secret encryption key).
I'm also not sure about how to obtain my secret encryption key from my issuer.
Sorry for activating this issue again, but it was pretty close from my current situation. 😄
from node-openid-client.
Hey @robtweed, i'm not sure i follow your question. The issuer's jwks are loaded on demand when they're needed.
You might use the keystore()<Promise>
method on an issuer to load them and get resolve yourself an instance of node-jose JWK.KeyStore
that way. Note that this method is marked as private and is therefore not documented and part of the public API that follows semver.
from node-openid-client.
Thanks - to be honest I suspect I'm making life more difficult for myself than necessary. What I'm basically struggling with is a couple of things:
So my client has successfully authenticated and received the access and id tokens from the Authorization server (using openid-client). That part works really well.
-
If I pass the access token to a Node.js-based resource server, can that resource server use openid-client to validate the access token, or should I use a different module for that on the resource server?
-
Alternatively, if I pass the id_token JWT on to another Node.js server, I'll need to verify the id_token on that other server. Do I use openid-client on that other server for validating the JWT. If so, what's the API to use; if not, can you recommend another module to use? I'm struggling to find out how to obtain the key needed to validate the id_token JWT.
Apologies again if I'm being a bit dumb, and many thanks for any pointers you can give me :-)
from node-openid-client.
ad 1) if your issuer supports introspection you might use introspect
and see the results, if not you're left with just accessing the resources you need on issuer side. No need for validation there, other than TLS that is.
ad 2) openid-client is for clients, not resource servers, you might wanna explore the modules listed at https://jwt.io to look for jwt validation modules.
from node-openid-client.
OK thanks - that definitely helps :-) Many thanks!
from node-openid-client.
@panva - thanks for the help and pointers. Much appreciated. I'm using both your OIDC client and provider very successfully now
from node-openid-client.
I have a ReactJS app which received the access token from my server, and send it back with each requests.
Apologies but why do you bother with this? Do you have the need to send those access tokens to a 3rd party API too? Why not just set an httpOnly session cookie that your client will automatically be sending to the backend and authorize your own API call with it?
from node-openid-client.
You're totally right, I can also set a cookie to simplify that part! 👏
Have you any pointers about my other questions?
from node-openid-client.
I don't see any questions that aren't solved by just authenticating your own session with a cookie. If your use case is a simple sign in, you don't need to wonder around with access tokens at all.
from node-openid-client.
I use the password grant to delegate my users authentication process to Keycloak. I don't understand how a cookie solves my issue. After a successful auth, Keycloak gives me back tokens. So I assume that I'll still have to use those tokens against Keycloak? (Check if they expired, is the Keycloak's session revoked...)
Sorry if my questions seems very noobish but I think I miss the big picture.
from node-openid-client.
I use the password grant
🤕 🤦♂️
tokens. So I assume that I'll still have to use those tokens against Keycloak? (Check if they expired, is the Keycloak's session revoked...)
There is no session if you use ROPC. Please do not assume and read up on the OIDC / OAuth 2.0 flows.
It sounds like your usecase is a simple sign in (using a discouraged flow for that matter). Once you authenticate the user, set your backend session and be done with it.
Unless you need to pass tokens to 3rd party APIs or APIs hosted on another domain then all you need is a simple response_type=id_token&response_mode=form_post authorization request, callback to verify the token, then set your session with an appropriate expiration depending on your usecase.
from node-openid-client.
🤕 🤦♂️
I don't think such reaction is necessary, we all have to start somewhere.
Thanks for your help, I'll go back to the OIDC flows documentation to better understand the whole process.
Have a nice day.
from node-openid-client.
I don't think such reaction is necessary, we all have to start somewhere.
The thing with password grant is that it's not helping you to "start" with oauth at all, it's a legacy grant intended for migration purposes and it shares nothing with the core flows.
from node-openid-client.
This is the grant that met my constraints the most which are :
- I can't have a redirect step to Keycloak
- All my apps + keycloak are on a private network and are all trusted
But I'm probably wrong again! 🤦♂️
from node-openid-client.
Related Issues (20)
- OAuth 2.0 Device Authorization Grant (Device Flow) - poll without PKCE HOT 3
- Type checking httpOptions and rejectUnauthorized
- RPError thrown when IdToken JWE Header enc is blank HOT 2
- client won't run under `edge` runtime HOT 1
- Support setting client_secret to an empty string when using client_secret_basic or client_secret_post HOT 1
- Cannot assign to read only property 'dpopProof' of object '#<Client>' HOT 2
- Unsuccessful Callback to Unknow client side error HOT 10
- isKeyObject check fails in Bun HOT 5
- Scope delimiter replace problem HOT 2
- Multiple authenticate requests from the same session causes state mismatch HOT 1
- Can't authenticate when the server advertises authorization_response_iss_parameter_supported HOT 2
- Requests made without Accept-Encoding header HOT 1
- "cty" should not be included in jwks query HOT 2
- URL is not a constructor at Issuer.request HOT 1
- Application and Identity manger on different domains HOT 1
- Support other status code than 200 HOT 4
- Unable to use private_key_jwt auth method with Azure.
- Audience matching doesn't work as intended HOT 1
- Using `authorizationUrl()` in combination with PAR adds too many parameters HOT 3
- update interface AuthenticateOptions to include redirect_uri HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-openid-client.