Tokens in LDAP Authentication

[Aldred Benedict]

Hello All,

I'm pretty new in Node.js and even newer to Loopback. Right now I'm trying to enable authentication by using LDAP with loopback-component-passport and passport-ldapauth. 

Using local authentication with the built-in User model (User.login) returns access tokens, which then I can easily include in the http header to invoke REST endpoints. However, in LDAP authentication's case, I cannot find any way to generate token. How do I do this?

Anyways I'm not sure whether this helps, but this is my providers.json file:

{

  "ldap": {

    "provider": "ldap",

    "authScheme": "ldap",

    "module": "passport-ldapauth",

    "authPath": "/auth/ldap",

    "successRedirect": "/api/users",

    "failureRedirect": "/failure",

    "session": false,

    "ldap_attribute_for_login": "uid",

    "ldap_attribute_for_username": "uid",

    "ldap_attribute_for_mail": "mail",

    "server": {

      "url": "ldap://192.168.0.22:389",

      "bindDn": "cn=admin,dc=mycompany,dc=com",

      "bindCredentials": "some password",

      "searchBase": "ou=Users,dc=mycompany,dc=com",

      "searchFilter": "(uid={{username}})",

      "searchAttributes": ["employeeNumber","givenName", "sn", "displayName", "mail", "departmentNumber", "uid"]

    }

  }

}

Thank you

[Aldred Benedict]

Hello All,

I started looking at the code in passport-configurator.js, particularly this part:

if (info && info.accessToken) {

          if (!!options.json) {

            return res.json({

              'access_token': info.accessToken.id,

              userId: user.id

            });

          } else {

            res.cookie('access_token', info.accessToken.id, {

              signed: req.signedCookies ? true : false,

              maxAge: 1000 * info.accessToken.ttl

            });

            res.cookie('userId', user.id.toString(), {

              signed: req.signedCookies ? true : false,

              maxAge: 1000 * info.accessToken.ttl

            });

          }

        }

        return res.redirect(successRedirect(req));

So basically adding "json": true in the providers.json will disregard the "successRedirect" property and will just send AccessToken and userId back, which is perfectly what I require.

However, if "json":true is not included in providers.json, the access token will be placed in the cookie. The problem is if I use loopback.token() middleware, according to: http://apidocs.strongloop.com/loopback/#loopback-token, the function always checks for the following:

• access_token (params only)
  
• X-Access-Token (headers only)
  
• authorization (headers and cookies)
  

Wouldn't this cause authorization error if the successRedirect URL is given ACL for $authenticated Role as access_token is placed in cookie, not in params?