✨This is a demo project showing the integration of Okta's authentication widget and a web application✨
- User should be able to login to the application
- User should be able to view the list of their To do items
- User can see an input field where they can type a to-do item and upon submitting, the item is added to the ‘To do’ list
A) You need NodeJS and the following packages:
| Dependencies |
|---|
| npm install express |
| npm install @okta/jwt-verifier |
| npm install cors |
| npm install node-storage |
| npm install simple-encryptor |
If you are on Windows, you can run npm/install.bat to install those dependencies.
B) Start the server by executing node server.js in a command prompt and verify the deployment by navigating to your server address in your preferred browser:
http://localhost:28550Note:
runapp.batlauncher script can be used as an alternative to the command line
- The ‘To do App’ is a Single Page Application in vanilla Javascript
- Server side protected Rest APIs to save and restore the ‘user edited To do list’
- User authenticates through Okta’s Sign-in Widget
- Secure REST APIs using Okta’s JWT Verifier
- The server side API is protected via Access/Bearer token
| Login workflow |
|---|
| The end user is shown the widget if the user is not logged in |
| Upon logging in, the user is shown the homepage with a personalized greeting having the user name |
| The end user is able to logout of the application |
| Customized the Sign-in widget to match the theme of the application |
| The web app uses PKCE (Proof Key for Code Exchange) as the OIDC Login flow |
| The end user is able to go through the SMS MFA enrollment the first time he logs in |
| The end user can send SMS from the widget and verify the SMS |
- Base64 encoding of the to do list before encryption so the data is obfuscated
- Encryption of the to do list items using secretID as key and RSA-256 strong algorithm
- The encryptor uses the specified secret Id to derive a key via computing it's SHA-256 hash
- Encryption is done on AES-256 with a unique IV (intialization vector) per call that is returned as part of the result
- Single database Storage per user ID which is only known by Okta and the user himself
We are more than ever concerned about the safety of personal data. Strong encryption an security is mandatory to guarantee the relaibility of the saved details even in case of a data leak. An attacker can get a hold on a database but it is no use if the data is not readable.
The To Do List client App sends updates from the user as Base64 data, then the To Do List server verifies the user in Okta's database and encrypts the data before inserting to the local database. Only the app account admin who can access the secret key would be able to decrypt the data, however only Okta could determine who is the actual user matching the ID owner of this data; This guarantees a very strong safety all along the pipeline.
The To Do List app uses a number of open source projects to work properly:
- node.js - evented I/O for the backend
- Express - back end web application framework for Node.js
- Okta Sign-In Widget - Javascript widget that provides a fully featured and customizable login experience
- @okta/jwt-verifier - this library verifies Okta access and ID tokens
- cors - Connect/Express middleware that can be used to enable CORS
- node-storage - simple file based store for node.js
- simple-encryptor - simple encryptor/decryptor for Node.js
- jQuery - DOM Traversal and Manipulation library
- js-base64 - Base64 transcoder
And of course this project is open source with a public repository on GitHub.
A deployed live version is available here:
https://to-do-list-reg31.herokuapp.com/
MIT
Free Software, Thank you!