Working Sample

[coreyperkins]

This is a question. Does anybody have a working sample of using this? I have a openid connect auth server in place using another tech and I'd like to use this lib to connect to it with an outside nodejs app. A sample would be handy. Thanks!

[gobengo]

+1

[jasps]

I got it to work after a few tweaks, what are you having an issue with specifically?

[coreyperkins]

The only issue is myself. :)

I haven't used passport much and I was hoping for a quick and dirty I could slap into place to give it a shot. I thought it might be something that could benefit others as well.

Thanks!

[jasps]

Check out the examples for passport-local (https://github.com/jaredhanson/passport-local) and then it should just be case of changing the options for your strategy. The thing I had an issue with was the call to self._verify in the getOAuthAccessToken function of the strategy. Make sure this aligned with your passport.use callback in your app.

[coreyperkins]

Interesting, I will check them out. Much appreciated.

[coreyperkins]

I'm struggling with this quite a bit. I've nabbed the passport-local example and I've started going through it but there are some basics I don't understand.

var OidcStrategy = require('passport-openidconnect').Strategy;

I've setup the strategy in passport by doing the following.

passport.use(new OidcStrategy({ authorizationURL: 'my-auth-endpoint', tokenURL: 'my-token-endpoint', userInfoURL: 'my-user-info-endpoint', clientID: 'my-client', clientSecret: 'my-client-secret', callbackURL: '/callback' }, verify));

I think this chunk needs to be modified to go out to the openid connect server I am trying to use for auth.

app.get('/login', passport.authenticate('local', { failureRedirect: '/login', failureFlash: true }), function(req, res) { res.redirect('/'); });

At this point, I am not quite sure how to modify this to properly interact with passport-openidconnect. I am getting confused at the point of calling the authenticate middleware.

I thought maybe I could simply call authenticate and it would attempt to hit my auth endpoint. Perhaps like this.

app.get('/login', passport.authenticate() );

This is resulting in a 401 without even trying to go out to the auth endpoint I specified.

Any advice?

[jasps]

In this snippet of code:

app.get('/login', passport.authenticate('local', { failureRedirect: '/login', failureFlash: true }), function(req, res) { res.redirect('/'); });

passport.authenticate('local'... should be passport.authenticate('passport-openidconnect'...

[coreyperkins]

I think I'm still missing something fundamental. Here's my script.

var OidcStrategy = require('passport-openidconnect').Strategy;

passport.use(new OidcStrategy({ authorizationURL: baseAuthUrl + '/id/conn/auth', tokenURL: baseAuthUrl + '/id/conn/token', userInfoURL: baseAuthUrl + '/id/conn/userinfo', clientID: 'fakeClient', clientSecret: 'fakeSecret', callbackURL: '/authorize' });

app.get('/login', passport.authenticate('passport-openidconnect', { failureRedirect: '/login', failureFlash: true }), function(req, res) { console.log('verify hit');

res.redirect('/');

});

When I hit /login it will tell me this:

Error: Unknown authentication strategy "passport-openidconnect" at attempt (C:\nodeoidc\node_modules\passport\lib\middleware\authenticate.js:166:37) at authenticate (C:\nodeoidc\node_modules\passport\lib\middleware\authenticate.js:342:7) at Layer.handle as handle_request at next (C:\nodeoidc\node_modules\express\lib\router\route.js:110:13) at Route.dispatch (C:\nodeoidc\node_modules\express\lib\router\route.js:91:3) at Layer.handle as handle_request at C:\nodeoidc\node_modules\express\lib\router\index.js:267:22 at Function.proto.process_params (C:\nodeoidc\node_modules\express\lib\router\index.js:321:12) at next (C:\nodeoidc\node_modules\express\lib\router\index.js:261:10) at SendStream.error (C:\nodeoidc\node_modules\express\node_modules\serve-static\index.js:107:7)

[jasps]

Corey,

Try this (changing passport-openidconnect to openidconnect):

app.get('/login', passport.authenticate('openidconnect', { failureRedirect: '/login', failureFlash: true }), function(req, res) { console.log('verify hit'); res.redirect('/'); });

[coreyperkins]

That did it! I was redirected to my auth server which reported an invalid response because I don't yet have "code" allowed as a response type.

It looks like "code" is hard-coded into the source, know if there are any plans to support other response types?

[jasps]

Good news. Just create your own local module and base it on passport-openidconnect then you can change it to whatever you like. Check the openid-connect specs for the different flows.

[juanifioren]

@coreyperkins @jasps When you write:

passport.use(new OidcStrategy({
    authorizationURL: 'my-auth-endpoint',
    tokenURL: 'my-token-endpoint',
    userInfoURL: 'my-user-info-endpoint',
    clientID: 'my-client',
    clientSecret: 'my-client-secret',
    callbackURL: '/callback'
}, verify));

Whay exactly is that function verify? If I don't pass it as a parameter then I got an error.

[jasps]

This is the function that will capture your profile, claims etc. You need it. In this function, you will usually pull the relevant user from a database and return that user or a sub-set of user attributes, which is what I do. This is what passport will serialize in the session.

[juanifioren]

Thanks @jasps for that fast reply. I understand now. Do u have a working example of this function?.

[jasps]

Not that would help you I'm afraid. Check the samples. There is one that pulls a user from MongoDB.

[juanifioren]

Thanks anyways man! @jasps I ended up with this function, it works.

function (iss, sub, profile, done) {
  User.find({ email: profile._json.email }, function (err, docs) {
    if (docs.length == 0) {
      var user = new User({ email: profile._json.email });
      user.save();
      return done(err, user);
    } else {
      return done(err, docs[0]);
    }
  });
}

Tested against django-oidc-provider.

[mithun-daa]

@jasps What did you do to fix the verify callback?

The thing I had an issue with was the call to self._verify in the getOAuthAccessToken function of the strategy. Make sure this aligned with your passport.use callback in your app.

My verify callback is not getting called either.

[whindes]

Is there any update or workaround for the response_type? It is still hard coded to "code" and it would be nice to have "id_token token". Please let us know of any alternate solutions.

[mithun-daa]

@whindes I used https://github.com/panva/node-openid-client for that and it works great.

[barnaby33]

Got a code snippet for using the token/implicit flow?

[Harshil1989]

I am trying to integrate this with my sample node js project...but I am not able to understand how to invoke this...since I am getting the below error when I call this:

TypeError: Parameter "url" must be a string, not undefined (at the below line in the strategy.js of this lib) this._key = options.sessionKey || (this.name + ':' + url.parse(options.authorizationURL).hostname);

I am passing all these parameters: authorizationURL: 'my-auth-endpoint', tokenURL: 'my-token-endpoint', userInfoURL: 'my-user-info-endpoint', clientID: 'my-client', clientSecret: 'my-client-secret', callbackURL: '/callback'

can someone let me know...what I am doing wrong? Any help appreciated...Thanks!

[barnaby33]

First guess is that the values you are passing are 'my-auth-endpoint' instead of the URL to your OAuth/OpenId server.

[fdescamps]

@barnaby33 : did you find a code snippet for using the token/implicit flow?

[barnaby33]

Actually I don't remember. This was almost a year ago for me. I believe I did or rather pieced one together, but don't have a link.               Josh On Tuesday, January 2, 2018, 3:57:59 AM PST, François notifications@github.com wrote:

@barnaby33 : did you find a code snippet for using the token/implicit flow?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.