How to integrate Auth0 authorization into a Loopback restful web service?
2,090 views
Skip to first unread message
A Bit of Help
Jan 11, 2016, 7:29:23 PM1/11/16
to LoopbackJS
Hi Everyone,
I am creating a restful web service using the latest versions of Node.js and Loopback, which I downloaded and installed yesterday. I have successfully created it and it works with a PostgreSql database. Our UI/front-end applications are using Auth0 for OAuth2 authentication and authorization. We will send the JWT Bearer token in the Authorization header to the web service that I've created.
I am new to Loopback, so I am wondering whether the following instructions for configuring a Node.js web service are what I need to do for Auth0 to be used in Loopback, or whether Loopback's structure is different and I need to do something different. If so, any ideas about what must be done?
I am not sure how I would tag endpoints (i.e. GET /api/clients) to require authorization and specific roles, which are in the token as role claims.
I'd appreciate any suggestions about how to proceed.
Thank you for your time and help!
Mike
A Bit of Help
Jan 11, 2016, 9:46:25 PM1/11/16
to LoopbackJS
Hi Everyone,
Well... It is as simple as it seems following Auth0's Node.js instructions: https://auth0.com/docs/quickstart/backend/nodejs.
Basically, you npm 'express' and 'express-jwt', and add the following to server.js:
var express = require('express');
var jwt = require('express-jwt');
var jwtCheck = jwt({
// Auth0 Client Secret for the app.
secret: new Buffer('riQayzqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj', 'base64'),
// Auth0 Client id for the app.
audience: 'fpvyyyyyyyyyyyyyyyyyyyyyyyyc'
});
app.use('/api/clients', jwtCheck);
When I try to get from /api/clients without an authorization header with a valid token, it fails. When I pass a valid token, it succeeds. Way cool! :)
I hope that this will help others. I will post anything more that I learn...
Mike
jmls
Jan 16, 2016, 1:40:19 PM1/16/16
to LoopbackJS
that's part of the story - the second part is to map strongloop users to the supplied jwt so that you can apply ACL's etc. I've written a library (https://github.com/whoGloo/loopback-jwt) that manages the mapping for you.
Once you are using this, a strongloop user is automatically created for each validated jwt user, and all of the user functions can be applied (security etc)
hth
julian
A Bit of Help
Jan 27, 2016, 4:54:12 PM1/27/16
to LoopbackJS
Thanks, Julian! I will give it a whirl! :)
Mike
Jouke Visser
Nov 23, 2016, 10:14:44 AM11/23/16
to LoopbackJS, mjga...@abitofhelp.com
I ran into the same situation as you, and also tried loopback-jwt. However, it didn't exactly work with Auth0's responses.
I therefore decided to fork loopback-jwt and created loopback-auth0-jwt instead. You can find it here: https://www.npmjs.com/package/loopback-auth0-jwt
Cheers,
Jouke
Op woensdag 27 januari 2016 22:54:12 UTC+1 schreef A Bit of Help:
Op woensdag 27 januari 2016 22:54:12 UTC+1 schreef A Bit of Help:
jmls
Nov 23, 2016, 10:30:28 AM11/23/16
to LoopbackJS, mjga...@abitofhelp.com
Hey Jouke
A bit surprised that you mention it doesn't work with auth0 responses .. we
are using this in production.
However, if you have made changes that better fit the strongloop / auth0
process , would you please consider creating a PR so we can merge them back
into the project ?
Thanks!
A bit surprised that you mention it doesn't work with auth0 responses .. we
are using this in production.
However, if you have made changes that better fit the strongloop / auth0
process , would you please consider creating a PR so we can merge them back
into the project ?
Thanks!
Jouke Visser
Nov 23, 2016, 10:37:52 AM11/23/16
to loopb...@googlegroups.com
Hey Julian,
It works fine for Google authentication if you get an email address in the JWT response. But if you authenticate with Facebook or Twitter, you just have the 'sub' field and have to fabricate something that looks like an email address.
I wanted something generic that works with all authentication sources that auth0 offers. Besides that, I've also implemented setting the correct TTL for the accessToken, and an ability to log out (and thereby removing the accessToken).
I originally planned to just make some changes and submit a PR, but in the end I changed quite a bit and decided this was too much for a PR.
Cheers,
Jouke
To view this discussion on the web visit https://groups.google.com/d/msgid/loopbackjs/174704d3-c51a-4953-85b0-6d9c6a498786%40googlegroups.com.--
You received this message because you are subscribed to a topic in the Google Groups "LoopbackJS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/loopbackjs/yT8MypWxz_E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to loopbackjs+unsubscribe@googlegroups.com.
Alex Megalokonomos
Nov 23, 2016, 11:08:34 AM11/23/16
to loopb...@googlegroups.com
You can authenticate with Auth0 using loopback-component-passport and passport-auth0
As long as you pay attention to this issue:
--
You received this message because you are subscribed to the Google Groups "LoopbackJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to loopbackjs+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/loopbackjs/CAM8rojjdc4BzAXpwAqRU8Lax2uTuJqWnEwg6%3DB_mMdex7Xdc%2Bw%40mail.gmail.com.
Jouke Visser
Nov 23, 2016, 11:10:58 AM11/23/16
to loopb...@googlegroups.com
I know, but that doesn't work well with a Single Page Application (SPA), especially an Ionic application where everything happens in the frontend, and you simply call out to your API when you need it.
With loopback-jwt or loopback-auth0-jwt you can use Auth0's lock, authenticate in the frontend and use the JWT to make calls to your Loopback API.
Jouke
To view this discussion on the web visit https://groups.google.com/d/msgid/loopbackjs/CALwx21qshGj%2B3ZpE_uNX96MMN-%2BW5BVP3f328S-EJ2908MB58A%40mail.gmail.com.
Konrad
Mar 6, 2018, 7:12:32 AM3/6/18
to LoopbackJS
could you provide a working example of the integration? I was trying to use that module in my project but I failed, I was never even close to make it work...
To unsubscribe from this group and all its topics, send an email to loopbackjs+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/loopbackjs/174704d3-c51a-4953-85b0-6d9c6a498786%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "LoopbackJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to loopbackjs+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/loopbackjs/CAM8rojjdc4BzAXpwAqRU8Lax2uTuJqWnEwg6%3DB_mMdex7Xdc%2Bw%40mail.gmail.com.
--
You received this message because you are subscribed to a topic in the Google Groups "LoopbackJS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/loopbackjs/yT8MypWxz_E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to loopbackjs+...@googlegroups.com.
Erin McKean
Mar 6, 2018, 11:17:56 AM3/6/18
to LoopbackJS
If you're in the San Francisco Bay Area we'll be doing a joint workshop on LoopBack and Auth0 on April 3. The event will be open for registration soon -- it will be announced here: https://developer.ibm.com/code/community/cities/san-francisco/ (or you can follow the team on Eventbrite here: https://www.eventbrite.com/o/ibm-code-sf-14758062318)
It will be recorded!
Hope this helps!
Erin
Erin
Developer Advocate, IBM
ko
Mar 6, 2018, 11:19:31 AM3/6/18
to LoopbackJS
sorry but I can't, I'm from Europe. And rather need quick solution of that problem...
Reply all
Reply to author
Forward
0 new messages