Skip to content

Latest commit

 

History

History

oidc_authentication

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
views
views
 
 
README.md
README.md
 
 
config_sample.json
config_sample.json
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
server.js
server.js
 
 

README.md

What is this example

This example is similar to the user_access_generator but covers a single scope and how to verify it. Specifically the OIDC

It works both "Authorization Code Flow" and "Implicit Code Flow", but this only covers "Authorization Code Flow"

This uses JWT's so you should read up about what a JWT is on JWT.io

Hang on

What is ODIC and the point of it in the first place.

ODIC is a standard method to do login with a service.

And supports a auto discovery system, so you can feed a library with just a URL.

In this case that is https://id.twitch.tv/oauth2/ and the OIDC library will self configure using the values in https://id.twitch.tv/oauth2/.well-known/openid-configuration

Reference Documentation

Setting up the config

  • Open config_sample.json in a text editor
  • Visit Twitch Dev Console
  • Visit Applications
  • Manage your Application, or create one if you don't have one
  • Copy the Client ID into the "" of client_id
  • Hit New Secret then Ok
  • Copy the new Client Secret into the "" of client_secret
  • Add or change the OAuth Redirect URLs to include one for http://localhost:8000/ as Twitch now support multiples
  • Save your modified file as config.json

You can change the port in config if you want but remember to change it in the Redirect URL's as well, and update the configs redirect_uri

Running the example

In a console/terminal, run these commands:

Notes

JWTs have a really short valid time, around 15 minutes, and also cannot be refreshed!

A Twitch OpenID call, can be combined with other "regular" scopes, and will return a "regular" API access token for use. Uncomment server.js Line 193 to see what you get!

The validate endpoint returns some important information, such as when the token expires, you'll need to refresh the token as needed if the token expires using the refresh token, thats not covered in this example, but you can read about refreshing on the docs

Also note the validate endpoint uses OAuth instead of Bearer in the Authorization header.

Nginx and Cookie Security

This is an example, so doesn't contain all the best security practices. Since this uses cookies to manage logins you should change the session code to something like

app.use(session({
    store: new RedisStore({
        client: redis_client
    }),
    secret,
    resave: true,
    saveUninitialized: false,
    cookie: {
        secure: true,
        maxAge: something
    },
    rolling: true
}));

See also Production Best Practices: Security

If you are putting this nodeJS HTTP server beind NGINX, your NGINX declartion for the location will need additional fields:

server {
    listen IPv4:443;
    listen [::]:443;

    server_name example.com;
    root /some/path/to/files;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        # Cookie Flags
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # Cookie Flags
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        # Other

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;

        proxy_pass http://this_server_relay;
    }
}

upstream this_server_relay {
    server 127.0.0.1:5000;
    keepalive 8;
}