Manage auth with openid server
Node + Typescript + Express
Use mkcert tool
See installation on mkcert github page
Move to certificates directory
cd certificatesCreate local Certificate Authority
mkcert -installGenerate signed certificate for domain
mkcert "auth.myproject.local"mkdir certificates
cp auth.myproject.local* ./certificatesResolve your deomain to local, edit /etc/hosts
127.0.0.1 auth.myproject.local
cp .env.template .envInstall packages
npm cipackages global or local
- typescript
- ts-node
Packages :
- express : framework
- dotenv: env config loader
- body-parser : parse body middleware
- cors
- helmet : security middleware
- morgan : logger middleware
Conventions
- tslint
- prettier
Log
Testing
Launch keycloak server : http://locahost:8080
docker-compose upadmin credentials (defined in docker-compose.yml)
admin
admin- realm : create realm with openid connect
- client > settings : ensure standard flow and direct grant selected
- roles > create role 'user'
- client scope: create scope 'skills' (disable consent)
- client > scopes : add 'skills' to default scope selected
Do not use Implicit Flow (deprecated) but Authorization Code Grant Flow with PKCE
JSON Web Keys(JWKs) returned by authorization server endpoint
http://localhost:8080/realms/myrealm/protocol/openid-connect/certsAll URL configured here:
http://localhost:8080/realms/myrealm/.well-known/openid-configuration
ref : https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce
- create code verifier
- create code challenge from verifier
- Get the User's Authorization with code challenge
- Exchange the Authorization Code for an Access Token
- Call the API with Bearer :)
- verify token (JWT, claims, perms)
Infos :
- store verify code with state in cookie
- use cookie-parser middleware to retrieve cookie