This project is a demonstration of the new protocol currently called XYZ, or GNAP (Grant Negotiation and Authorization Protocol). It is a protocol which is based on a transactional model and which is different from OAuth 2. Indeed, as explained on the documentation of this new protocol :
The client of the API declares who it is and what it wants, the AS figures out what information it needs to fulfill that (which might include interacting with a user), and ultimately a token is produced. All along the way, components have the opportunity to bind keys to different parts of the transaction so that attackers can't take over. This intent-based system takes in experience and feedback from other similar projects and protocols, but in a way that pulls together many different aspects.
If you want more details on this demonstration, you can read RedirectFlow.md.
Implementation in NodeJs.
This implementation has both the client and AS portions. It's written in NodeJs with a React front end. The server is an Express app with MongoDB Atlas and the client frontend is a React app.
To run, start with the client:
npm install
npm start
Then start with the AS:
npm install
npm start
The client is accessible at http://localhost:3000
The AS is accessible at : http://localhost:8080/as
Acces Token allows you to get protected data. Use GET request with Authorization to see it. Or,
curl -H "Authorization: Bearer <token to copy>" http://localhost:8080/as/data
-
Follow this tutorial in order to create an Atlas cluster : Get Started with Atlas
-
Edit the
.env
file in the server side and set theMONGODB_SERVER
value to connect to Your Atlas Cluster by replacingYOUR_USERNAME
as well asYOUR_PASSWORD
with your own values.
The expected result is shown in this video.
GNAP spec is still a work in progress, and this implementation may not stay up to date as changes are made to the spec.