grant-oidc v0.0.4

grant-oidc

id_token validation middleware for Grant

• IdP configuration discovery (no caching)
• IdP public keys discovery (no caching)
• id_token validation including its signature

Configuration

grant-oidc accepts your Grant configuration

Middlewares

For Express and Koa grant-oidc needs to be mounted after Grant, and before any of the callback URLs defined in your Grant configuration.

Express

var express = require('express')
var session = require('express-session')
var grant = require('grant-express') // or require('grant').express()
var oidc = require('grant-oidc').express()
var config = require('./config.json')

express()
  .use(session({name: 'grant', secret: 'grant', saveUninitialized: true}))
  .use(grant(config))
  .use(oidc(config))
  .get('/hi', (req, res) => {
    res.end(JSON.stringify(req.session.grant.response, null, 2))
  })
  .listen(3000)

Koa

var Koa = require('koa')
var session = require('koa-session')
var grant = require('grant-koa') // or require('grant').koa()
var oidc = require('grant-oidc').koa()
var config = require('./config.json')

var app = new Koa()
app.keys = ['grant']
app.use(session(app))
app.use(grant(config))
app.use(oidc(config))
app.use((ctx, next) => {
  if (ctx.path === '/hi') {
    ctx.body = JSON.stringify(ctx.session.grant.response, null, 2)
  }
})
app.listen(3000)

Hapi

var Hapi = require('hapi')
var yar = require('yar')
var grant = require('grant-hapi') // or require('grant').hapi()
var oidc = require('grant-oidc').hapi()
var config = require('./config.json')

var server = new Hapi.Server({host: 'localhost', port: 3000})

server.route({method: 'GET', path: '/hi', handler: (req, res) => {
  return res.response(JSON.stringify(req.yar.get('grant').response, null, 2))
    .header('content-type', 'text/plain')
}})

server.register([
  {plugin: grant(), options: config},
  {plugin: oidc(), options: config},
  {plugin: yar, options: {cookieOptions: {password: '01234567890123456789012345678912', isSecure: false}}},
])
.then(() => server.start())

Example

{
  "defaults": {
    "protocol": "http",
    "host": "localhost:3000",
    "transport": "session",
    "state": true,
    "nonce": true,
    "scope": [
      "openid"
    ],
    "callback": "/hi"
  },
  "asana": {"key": "...", "secret": "..."},
  "auth0": {"key": "...", "secret": "..."},
  "authentiq": {"key": "...", "secret": "..."},
  "google": {"key": "...", "secret": "..."},
  "ibm": {"key": "...", "secret": "..."},
  "line": {"key": "...", "secret": "..."},
  "microsoft": {"key": "...", "secret": "..."},
  "okta": {"key": "...", "secret": "..."},
  "onelogin": {"key": "...", "secret": "..."},
  "paypal": {"key": "...", "secret": "..."},
  "phantauth": {"key": "...", "secret": "..."},
  "salesforce": {"key": "...", "secret": "..."},
  "twitch": {"key": "...", "secret": "..."},
  "yahoo": {"key": "...", "secret": "..." }
}

Quirks

• Google issuer URL doesn't have protocol

• Paypal issuer have different domain than the configuration URL

• Paypal returns the idp configuration JSON with wrong content-type

• Asana doesn't return kid in the header, and a single key is found in jwks_uri that should be picked

• Asana doesn't honor the nonce parameter and doesn't embed it in the id_token