Authenticate Node.js App by OpenId Connect

OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0; while OAuth 2.0 is an authorization framework. The standard is controlled by the OpenID Foundation. This blog post will go through an example to use your google account to login a Node.js app by using OpenID Connect.

Authentication vs Authorization

Authentication and Authorization are big topics, this blog only touches the basic and will have follow-up blogs to explain the details. If you are still confused about the difference between authentication and authorization, the followings are the explanations.

Authentication: is the process of ascertaining that somebody really is who he claims to be.

Authorization: refers to rules that determine who is allowed to do what.

‘Jargon’ explanations

If you are confused about the difference between various protocols, e.g. OpenID, OAuth, OpenID Connect, don’t worry. It is a common challenge to most people.

OpenID

Authentication is delegated:

Server A wants to authenticate user U, but U’s credentials (e.g. U’s name and password) are sent to another server, B, that A trusts (at least, trusts for authenticating users).

Indeed, server B makes sure that U is indeed U, and then tells to A: “ok, that’s the genuine U”.

OAuth

Authorization is delegated:

Entity A obtains from entity B an “access right” which A can show to server S to be granted access; B can thus deliver temporary, specific access keys to A without giving them too much power.

You can imagine an OAuth server as the key master in a big hotel; he gives to employees keys which open the doors of the rooms that they are supposed to enter, but each key is limited (it does not give access to all rooms); furthermore, the keys self-destruct after a few hours.

OpenID Connect

To some extent, authorization can be abused into some pseudo-authentication, on the basis that if entity A obtains from B an access key through OAuth, and shows it to server S, then server S may infer that B authenticated A before granting the access key. So some people use OAuth where they should be using OpenID. This schema may or may not be enlightening; but I think this pseudo-authentication is more confusing than anything.

OpenID Connect does just that: it abuses OAuth into an authentication protocol.

In the hotel analogy: if I encounter a purported employee and that person shows me that he has a key which opens my room, then I suppose that this is a true employee, on the basis that the key master would not have given him a key which opens my room if he was not.

OpenID Connect standardize how authentication with OAuth2 works

  • OpenID connect is built on top of Oauth 2.0

  • it contains authorization code flow and implicit flow

  • standard scopes and claims

  • token type is JWT (Json web token)

  • ID token

  • UserInfo endpoint

  • Simple

  • Supports multiple Relying Party (client) types

  • Optional: encryption, discovery, dynamic client registration & session management

http://openid.net/connect

Setup Google Account

Since this blog uses google account to do the login, so let’s setup the account first.

Go to the following URL:

https://console.developers.google.com/apis/credentials

  • Create credential

  • Create OAuth client id

Ensure the redirect URL is setup correctly, e.g. http://localhost:5000/oidc-client-sample.html

This redirect URL will be used in the next chapter.

Test the google authentication first by using auth0.com: https://auth0.com/docs/connections/social/google

If your manage to connect to the google account, then it’s time to move to the next chapter.

Setup Node.Js App

In this blog, the focus in on OpenID Connect, then we will not build Node.JS app from scratch. Let’s use the existing git repository: https://github.com/IdentityModel/oidc-client-js

Then follow the steps:

  • Clone a local git repository

  • Install the modules by: npm i

  • Modify the code in example/oidc-client-sample.js

var settings = {
    authority: 'https://accounts.google.com',
    client_id: 'xxxxx',
    redirect_uri: 'http://localhost:5000/oidc-client-sample.html',
    post_logout_redirect_uri: 'http://localhost:5000/oidc-client-sample.html',
    response_type: 'id_token token',
    scope: 'openid email',

    filterProtocolClaims: true,
    loadUserInfo: true
};
  • Start the Node.JS app: npm start

  • Test the app in browser: localhost:5000

  • Click the signin button to sign by using your google account

  • Click processignin response button to get the response

If everything goes well, you are suppose to see the following response content.

signin response
{
  "state": {
    "bar": 15
  },
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjAwOThiMzFlNDA2NTE0OTNjZDA4YzFkYjA1NmQ2ZGI2YWU5NTY1MzMifQ.eyJhenAiOiI2MjQyNjc2NTM5MDgtcTllNDZ2dmU2Mzk3aHBvcHZ2NzZ0azk4bWlkN2EwY3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI2MjQyNjc2NTM5MDgtcTllNDZ2dmU2Mzk3aHBvcHZ2NzZ0azk4bWlkN2EwY3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDc0Njc3ODM4NTgxMzE3ODA2MTAiLCJlbWFpbCI6InN1bW1lcnNub3dlQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdF9oYXNoIjoiZ3lzNm5uX2VobVVaR0FoV0FFZGFMUSIsIm5vbmNlIjoiMTc1ZDEyOTY2MzBkNGI2NmIzMDBlNDY0OTg1YzBiMjAiLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE0OTk2MDY4OTMsImV4cCI6MTQ5OTYxMDQ5M30.XJmRpaf5VLBZIV9EdlhR_m0zlmkkbwdf8_ekXjsseCzX1gMdTDgJSea4paIsakPkZbsoUz3y2yEg2qg5Had9aEicHqgU0YjEGIRmjAToYhDWsI20Eb0RVfNmKaHLS9R7SRoVuMsmO7cvpCZumr0UIWyX3ZY1lOpk0e2W-hJegLoya-esijp9ZajcFS-M3oNtPVZISVxRi0uTMaFvmSE3yM-_15YczLbkHiJWlblvEMbiCxbsi9J6AsEl5z8v5MYfuac0Nr7I3SHgbM2tUc0LFMhwCDGAAf7MomcuHLL6SVA73V7iS5Qiqe1DeYwXCf4JjiN9qqnMz5mI8BMI3v0i4g",
  "session_state": "6b51bc71b013627ec110cb21b7ce19846399ae2d..28cf",
  "access_token": "ya29.GluCBIpJ8UKUuTIdz9TIcIsBflxM66xnsPlEi66GBn_Putc3qnQeQnDYt7QKWkdoQr1nctU0Zkbz8cIPxujpnUabNY2GfgM0gELdeXMYmzj-Nua9GRUexq4_VO7N",
  "token_type": "Bearer",
  "profile": {
    "azp": "624267653908-q9e46vve6397hpopvv76tk98mid7a0cq.apps.googleusercontent.com",
    "sub": "107467783858131780610",
    "email": "summersnowe@gmail.com",
    "email_verified": true,
    "name": "Summer Snow",
    "given_name": "Summer",
    "family_name": "Snow",
    "profile": "https://plus.google.com/107467783858131780610",
    "picture": "https://lh6.googleusercontent.com/-fC9bhpKev6k/AAAAAAAAAAI/AAAAAAAAATo/maihymGPzVM/photo.jpg",
    "gender": "male"
  },
  "expires_at": 1499610496
}

Congratulations, you managed to get your Node.JS app authenticated by your google account!

You can also have a check of the following git repository, which is a simplified version. https://github.com/wubw/Codelab/tree/master/openidconnect

Written by Binwei@Oslo

Comments

comments powered by Disqus