An Express.js middleware to protect OpenID Connect web applications.
Clone or download
Latest commit e8dc3bf Dec 10, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.vscode initial Nov 28, 2018
lib remove the ability to automatically refresh tokens Dec 10, 2018
middleware remove the ability to automatically refresh tokens Dec 10, 2018
test remove the ability to automatically refresh tokens Dec 10, 2018
views initial Nov 28, 2018
.eslintrc.json initial Nov 28, 2018
.gitignore initial Nov 28, 2018
.travis.yml initial Nov 28, 2018
API.md remove the ability to automatically refresh tokens Dec 10, 2018
EXAMPLES.md initial Nov 28, 2018
LICENSE initial Nov 28, 2018
README.md add idpLogout and auth0Logout Nov 30, 2018
index.js improve unauthorized error handling Nov 29, 2018
package-lock.json 0.3.0 Dec 10, 2018
package.json 0.3.0 Dec 10, 2018

README.md

Build Status

Note: use at your own risk, this project is on early stages. The api is changing a lot.

Express.js middleware for OpenID Relying Party (aka OAuth 2.0 Client).

The purpose of this middleware is to give a tool to our customers to easily add authentication to their applications, the goals for this project are:

  1. Secure by default:
  • The middleware implements the best practices to work with OpenID Connect providers.
  • All routes after the middleware require authentication by default.
  1. Simple setup: Pain-free configuration by using OpenID Connect metadata and the best defaults.
  2. Standard: The library is standard enough to work with many OpenID Connect providers.

Install

npm i express-openid-connect --save

Requirements

Before installing the routes,

Usage

Using the auth middleware:

const { auth } = require('express-openid-connect');

//insert your session and body parser middlewares here
// app.use(session());
// app.use(bodyParser());

app.use(auth())

app.use('/', (req, res) => {
  res.send(`hello ${req.openid.user.name}`);
});
  • Every route after the auth() requires authentication.
  • If a user try to access a resource without being authenticated, the application will trigger the authentication process. After completion the user is redirected back to the resource.
  • The application also gets a GET /login and GET /logout route for easy linking.

This application needs the following environment variables to work:

  • ISSUER_BASE_URL: The url of the issuer.
  • CLIENT_ID: The client id of the application.
  • BASE_URL: The url of your application. For development environments you can omit this.

For more examples check the EXAMPLES document.

The auth() middleware can be customized, please check the API document.

License

This project is licensed under the MIT license. See the LICENSE file for more info.