Authenticate Node.js App by OpenId Connect¶
OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0; while OAuth 2.0 is an authorization framework. The standard is controlled by the OpenID Foundation. This blog post will go through an example to use your google account to login a Node.js app by using OpenID Connect.
Authentication vs Authorization¶
Authentication and Authorization are big topics, this blog only touches the basic and will have follow-up blogs to explain the details. If you are still confused about the difference between authentication and authorization, the followings are the explanations.
Authentication: is the process of ascertaining that somebody really is who he claims to be.
Authorization: refers to rules that determine who is allowed to do what.
‘Jargon’ explanations¶
If you are confused about the difference between various protocols, e.g. OpenID, OAuth, OpenID Connect, don’t worry. It is a common challenge to most people.
OpenID¶
Authentication is delegated:
Server A wants to authenticate user U, but U’s credentials (e.g. U’s name and password) are sent to another server, B, that A trusts (at least, trusts for authenticating users).
Indeed, server B makes sure that U is indeed U, and then tells to A: “ok, that’s the genuine U”.
OAuth¶
Authorization is delegated:
Entity A obtains from entity B an “access right” which A can show to server S to be granted access; B can thus deliver temporary, specific access keys to A without giving them too much power.
You can imagine an OAuth server as the key master in a big hotel; he gives to employees keys which open the doors of the rooms that they are supposed to enter, but each key is limited (it does not give access to all rooms); furthermore, the keys self-destruct after a few hours.
OpenID Connect¶
To some extent, authorization can be abused into some pseudo-authentication, on the basis that if entity A obtains from B an access key through OAuth, and shows it to server S, then server S may infer that B authenticated A before granting the access key. So some people use OAuth where they should be using OpenID. This schema may or may not be enlightening; but I think this pseudo-authentication is more confusing than anything.
OpenID Connect does just that: it abuses OAuth into an authentication protocol.
In the hotel analogy: if I encounter a purported employee and that person shows me that he has a key which opens my room, then I suppose that this is a true employee, on the basis that the key master would not have given him a key which opens my room if he was not.
OpenID Connect standardize how authentication with OAuth2 works
OpenID connect is built on top of Oauth 2.0
it contains authorization code flow and implicit flow
standard scopes and claims
token type is JWT (Json web token)
ID token
UserInfo endpoint
Simple
Supports multiple Relying Party (client) types
Optional: encryption, discovery, dynamic client registration & session management
Setup Google Account¶
Since this blog uses google account to do the login, so let’s setup the account first.
Go to the following URL:
https://console.developers.google.com/apis/credentials
Create credential
Create OAuth client id
Ensure the redirect URL is setup correctly, e.g. http://localhost:5000/oidc-client-sample.html
This redirect URL will be used in the next chapter.
Test the google authentication first by using auth0.com: https://auth0.com/docs/connections/social/google
If your manage to connect to the google account, then it’s time to move to the next chapter.
Setup Node.Js App¶
In this blog, the focus in on OpenID Connect, then we will not build Node.JS app from scratch. Let’s use the existing git repository: https://github.com/IdentityModel/oidc-client-js
Then follow the steps:
Clone a local git repository
Install the modules by: npm i
Modify the code in example/oidc-client-sample.js
var settings = {
authority: 'https://accounts.google.com',
client_id: 'xxxxx',
redirect_uri: 'http://localhost:5000/oidc-client-sample.html',
post_logout_redirect_uri: 'http://localhost:5000/oidc-client-sample.html',
response_type: 'id_token token',
scope: 'openid email',
filterProtocolClaims: true,
loadUserInfo: true
};
Start the Node.JS app: npm start
Test the app in browser: localhost:5000
Click the signin button to sign by using your google account
Click processignin response button to get the response
If everything goes well, you are suppose to see the following response content.
signin response
{
"state": {
"bar": 15
},
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjAwOThiMzFlNDA2NTE0OTNjZDA4YzFkYjA1NmQ2ZGI2YWU5NTY1MzMifQ.eyJhenAiOiI2MjQyNjc2NTM5MDgtcTllNDZ2dmU2Mzk3aHBvcHZ2NzZ0azk4bWlkN2EwY3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI2MjQyNjc2NTM5MDgtcTllNDZ2dmU2Mzk3aHBvcHZ2NzZ0azk4bWlkN2EwY3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDc0Njc3ODM4NTgxMzE3ODA2MTAiLCJlbWFpbCI6InN1bW1lcnNub3dlQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdF9oYXNoIjoiZ3lzNm5uX2VobVVaR0FoV0FFZGFMUSIsIm5vbmNlIjoiMTc1ZDEyOTY2MzBkNGI2NmIzMDBlNDY0OTg1YzBiMjAiLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE0OTk2MDY4OTMsImV4cCI6MTQ5OTYxMDQ5M30.XJmRpaf5VLBZIV9EdlhR_m0zlmkkbwdf8_ekXjsseCzX1gMdTDgJSea4paIsakPkZbsoUz3y2yEg2qg5Had9aEicHqgU0YjEGIRmjAToYhDWsI20Eb0RVfNmKaHLS9R7SRoVuMsmO7cvpCZumr0UIWyX3ZY1lOpk0e2W-hJegLoya-esijp9ZajcFS-M3oNtPVZISVxRi0uTMaFvmSE3yM-_15YczLbkHiJWlblvEMbiCxbsi9J6AsEl5z8v5MYfuac0Nr7I3SHgbM2tUc0LFMhwCDGAAf7MomcuHLL6SVA73V7iS5Qiqe1DeYwXCf4JjiN9qqnMz5mI8BMI3v0i4g",
"session_state": "6b51bc71b013627ec110cb21b7ce19846399ae2d..28cf",
"access_token": "ya29.GluCBIpJ8UKUuTIdz9TIcIsBflxM66xnsPlEi66GBn_Putc3qnQeQnDYt7QKWkdoQr1nctU0Zkbz8cIPxujpnUabNY2GfgM0gELdeXMYmzj-Nua9GRUexq4_VO7N",
"token_type": "Bearer",
"profile": {
"azp": "624267653908-q9e46vve6397hpopvv76tk98mid7a0cq.apps.googleusercontent.com",
"sub": "107467783858131780610",
"email": "summersnowe@gmail.com",
"email_verified": true,
"name": "Summer Snow",
"given_name": "Summer",
"family_name": "Snow",
"profile": "https://plus.google.com/107467783858131780610",
"picture": "https://lh6.googleusercontent.com/-fC9bhpKev6k/AAAAAAAAAAI/AAAAAAAAATo/maihymGPzVM/photo.jpg",
"gender": "male"
},
"expires_at": 1499610496
}
Congratulations, you managed to get your Node.JS app authenticated by your google account!
You can also have a check of the following git repository, which is a simplified version. https://github.com/wubw/Codelab/tree/master/openidconnect
Written by Binwei@Oslo