How to retrieve the JSON Web Key Set? about node-openid-client HOT 14 CLOSED

Hello all,

I have the same questions as @robtweed , I'm starting with oidc and I'm a bit lost after the "grant" step.

I have my issuer, my client and a tokenSet thanks to client.grant.

I have a ReactJS app which received the access token from my server, and send it back with each requests.

Now I'm not sure about the steps to follow on the server when I receive the access token from my React app. I need a way to verify the token and get the user infos from it. I have a hard time understanding the difference between using client.introspect(token) from this library, or using jwt.verify(token) from auth0's library.

Ideally I would like to verify the token without having to call my issuer (Keycloak) on each request (or is it a normal workflow to call it on each request?), in a stateless way (no session, just from the token itself + the secret encryption key).

I'm also not sure about how to obtain my secret encryption key from my issuer.

Sorry for activating this issue again, but it was pretty close from my current situation. 😄

from node-openid-client.

Hey @robtweed, i'm not sure i follow your question. The issuer's jwks are loaded on demand when they're needed.

You might use the keystore()<Promise> method on an issuer to load them and get resolve yourself an instance of node-jose JWK.KeyStore that way. Note that this method is marked as private and is therefore not documented and part of the public API that follows semver.

from node-openid-client.

Thanks - to be honest I suspect I'm making life more difficult for myself than necessary. What I'm basically struggling with is a couple of things:

So my client has successfully authenticated and received the access and id tokens from the Authorization server (using openid-client). That part works really well.

1. If I pass the access token to a Node.js-based resource server, can that resource server use openid-client to validate the access token, or should I use a different module for that on the resource server?

2. Alternatively, if I pass the id_token JWT on to another Node.js server, I'll need to verify the id_token on that other server. Do I use openid-client on that other server for validating the JWT. If so, what's the API to use; if not, can you recommend another module to use? I'm struggling to find out how to obtain the key needed to validate the id_token JWT.

Apologies again if I'm being a bit dumb, and many thanks for any pointers you can give me :-)

from node-openid-client.

ad 1) if your issuer supports introspection you might use introspect and see the results, if not you're left with just accessing the resources you need on issuer side. No need for validation there, other than TLS that is.

ad 2) openid-client is for clients, not resource servers, you might wanna explore the modules listed at https://jwt.io to look for jwt validation modules.

from node-openid-client.

OK thanks - that definitely helps :-) Many thanks!

from node-openid-client.

@panva - thanks for the help and pointers. Much appreciated. I'm using both your OIDC client and provider very successfully now

from node-openid-client.

I have a ReactJS app which received the access token from my server, and send it back with each requests.

Apologies but why do you bother with this? Do you have the need to send those access tokens to a 3rd party API too? Why not just set an httpOnly session cookie that your client will automatically be sending to the backend and authorize your own API call with it?

from node-openid-client.

You're totally right, I can also set a cookie to simplify that part! 👏

Have you any pointers about my other questions?

from node-openid-client.

I don't see any questions that aren't solved by just authenticating your own session with a cookie. If your use case is a simple sign in, you don't need to wonder around with access tokens at all.

from node-openid-client.

I use the password grant to delegate my users authentication process to Keycloak. I don't understand how a cookie solves my issue. After a successful auth, Keycloak gives me back tokens. So I assume that I'll still have to use those tokens against Keycloak? (Check if they expired, is the Keycloak's session revoked...)

Sorry if my questions seems very noobish but I think I miss the big picture.

from node-openid-client.

I use the password grant

🤕 🤦‍♂️

tokens. So I assume that I'll still have to use those tokens against Keycloak? (Check if they expired, is the Keycloak's session revoked...)

There is no session if you use ROPC. Please do not assume and read up on the OIDC / OAuth 2.0 flows.

It sounds like your usecase is a simple sign in (using a discouraged flow for that matter). Once you authenticate the user, set your backend session and be done with it.

Unless you need to pass tokens to 3rd party APIs or APIs hosted on another domain then all you need is a simple response_type=id_token&response_mode=form_post authorization request, callback to verify the token, then set your session with an appropriate expiration depending on your usecase.

from node-openid-client.

🤕 🤦‍♂️

I don't think such reaction is necessary, we all have to start somewhere.

Thanks for your help, I'll go back to the OIDC flows documentation to better understand the whole process.

Have a nice day.

from node-openid-client.

I don't think such reaction is necessary, we all have to start somewhere.

The thing with password grant is that it's not helping you to "start" with oauth at all, it's a legacy grant intended for migration purposes and it shares nothing with the core flows.

from node-openid-client.

This is the grant that met my constraints the most which are :

• I can't have a redirect step to Keycloak
• All my apps + keycloak are on a private network and are all trusted

But I'm probably wrong again! 🤦‍♂️

from node-openid-client.