Token exchange middleware

Important

With the introduction of [navikt/next-auth-wonderwall](https://github.com/navikt/next-auth-wonderwall, solving mostly the same issues, this package is now considered deprecated.

A simple middleware to perform token exchange.

Looks for a valid ID-porten subject token in the autorization header, then exchanges it for an access token valid only for a given audience.

Usage

In all cases '<target-audience>' identifies the intended audience for the resulting token, i.e. the target app you request a token for. This value must be the client_id of the target app using the naming scheme <cluster>:<namespace>:<appname> e.g. prod-gcp:namespace1:app1.

With Next.js

TODO

With Express:

import { idportenTokenXMiddleware } from "@navikt/tokenx-middleware";

server.use('url-to-another-nais-app', idportenTokenExchangeMiddleware('<target-audience>'));

Prerequisites

TLDR; you need the following spec in your NAIS manifest:

spec:
  tokenx:
    enabled: true
  idporten:
    enabled: true
    sidecar:
      enabled: true

Long version:

• You have an ID-Porten subject token in the authorization header of the request. You can use Wonderwall to achieve this.
• The environment variables IDPORTEN_WELL_KNOWN_URL and IDPORTEN_CLIENT_ID are avaliable at runtime. This happens automatically if you enable idporten in your NAIS app.
• The environment variables TOKEN_X_CLIENT_ID, TOKEN_X_PRIVATE_JWK and TOKEN_X_WELL_KNOWN_URL are avaliable at runtime. Enable TokenX for these to be set automatically.

Releasing new versions

1. Commit all your changes to main
2. Run yarn version --<patch|minor|major> (following semantic versioning) to create a versioning commit.
3. Push the versioning commit to main. Take note of the version number <x.y.z>
4. Go to Github -> Releases -> Draft new release
5. Enter v<x.y.z> as the tag, give the release a name and description, and click release.