Confused about usage with passport.js

[Johnpc123]

Hi there,

Thanks for providing this repo, I'm learning a lot studying it. I hope this question is not too vague, so I've been trying to figure out how to ask this best.

As suggested I've set up an working example of your OP and RP examples to experiment with. (foo@example.com gets authenticated and authorized, everything works smoothly, but now I would like my own user manager)

I'm confused about usage with passport.js and node-openid-provider.

The login/authentication page is located on the node-oidc-provider. The node-openid-client instance on the RP redirects the UserAgent to the issuers /auth url (with a callback) when a protected resource needs auth intercations...

The notes say pass the client instance to the passport Strategy once you have it.

How do I "pass the client to the passport strategy"?

Where is passport.js required? In the RP app.js?

From the example "Usage With Passport" I try addin this require.

const Strategy = require('openid-client').Strategy;

It warns about recursive includes (as it should given it would create a circular reference!)...

So how and where do I require the openid-client passport Strategy? In the OP authentication page?

So I never get this far:

// start authentication request
app.get('/auth', passport.authenticate('oidc'));

Is there supposed to be a login view provided on the RP for each OP's passport strategy? Would they be express apps like the oidc-provider-example auth page is?

A pointer would be much appreciated.

Thanks

[panva]

I'm confused about usage with passport.js and node-openid-provider.

I guess this is where your disconnect happens. The two aren't to be meshed together.

• Passport.js (see the library's website) is a multi provider authentication library for a website.
• A Strategy that i provide with openid-client is so that you can use any OpenID Connect Provider with your passport.js setup, i.e. next to facebook and local account signup.
• You use these strategies against multiple providers and the passport lib makes it so that you just have one interface
• There's nothing from passport that belongs to an OpenID Connect provider
• oidc-provider is for when you want to be an OpenID Connect Provider for many Relying Parties.

So how and where do I require the openid-client passport Strategy?

Please see passport js usage documentation first.

Is there supposed to be a login view provided on the RP for each OP's passport strategy?

This makes 0 sense to me. Are you familiar with OpenID Connect actors and how they interact with one another?

[Johnpc123]

Thanks for replying ---

Okay, yes I think I'm familiar. .. but I'm simultaneously getting used to the differences between express and koa2 and my brain may have overheated.

The Open ID authentication flow I'm getting familiar with this illustration of how the OpenID Connect Actors interact.

and .. yes I do think I need to review the passport.js documentation further.

One detail could help me with my disconnect..

In the example authentication occurs on the OP. It does not use passport. It's a nice clean simple example. The node-oidc-client RP redirects (as needed) to the /auth view on the OP, again no passport.

But if I want to authenticate using a OP provider, FB / Twit / oidc-provider (whichever) to grant access to a restricted resource on my RP. To do that I'll use passport.js.

Do I require passport.js and the requisite Passport strategy in the app.js of my RP? because when I try to do that it tells me I have a circular reference?

Or, instead of editing the RP example, do I create a separate site and const Strategy = require('openid-client').Strategy; there in its app.js ? thus making an RP out of that site?

Apologies.. it's been quite confusing.

[panva]

My recommendation is, if you want to use passport - start fresh with a pure passport example. Then when you know how passport works and you want to connect it to an OIDC OP come back and

1. discover the OP (Issuer)
2. instantiate a Client off that OP (Issuer)
3. pass it to the Strategy constructor
4. register that Strategy instance with your passport.

[Johnpc123]

Thanks for suggesting I take this approach!