node-access-token-validation v1.0.0
OAuth 2.0 - node AccessTokenValidation
Authentication handler for node that allows accepting both JWTs and reference tokens (Introspection).
JWT Usage
Simply specify authority and API name (aka audience):
import AccessTokenHandler from './access-token-handler';
import AuthenticationOptions from './authentication-options';
var at_validation = new AccessTokenHandler({
authority: 'https://localhost:5000',
apiName: "<api name>
});
at_validation.Handle('bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjlXVFR1Nm9nZzQyamR2WUpaTUZRYXciLCJ0eXAiOiJhdCtqd3QifQ.eyJuYmYiOjE1ODU5NDI5MjIsImV4cCI6MTU4NTk0NjUyMiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6ImpwX2FwaSIsImNsaWVudF9pZCI6IklTNC1BZG1pbiIsInN1YiI6IjA5MDRlNzVlLTQxM2QtNDg2MC05MzI5LWIyNTg3MjQ3MDY1YSIsImF1dGhfdGltZSI6MTU4NTcyMzY3NSwiaWRwIjoibG9jYWwiLCJpczQtcmlnaHRzIjoibWFuYWdlciIsInJvbGUiOiJBZG1pbmlzdHJhdG9yIiwiZW1haWwiOiJiaGRlYnJpdG9AZ21haWwuY29tIiwidXNlcm5hbWUiOiJicnVubyIsInNjb3BlIjpbInJvbGUiLCJlbWFpbCIsInByb2ZpbGUiLCJvcGVuaWQiLCJqcF9hcGkuaXM0Il0sImFtciI6WyJwd2QiXX0.IXXE3P1lU5a_G4uMdVuilpej4E6inlV7ObOprszbyZbjnoS2gwOyegB3WSAjwsbTmzGM-T9_SgLhVP-lqJ94mg').then(console.log).catch(console.warn);
Enable reference tokens
Additionally specify the API secret for the introspection endpoint:
import AccessTokenHandler from './access-token-handler';
import AuthenticationOptions from './authentication-options';
var at_validation = new AccessTokenHandler({
authority: 'https://localhost:5000',
apiName: "<api name>",
apiSecret: "<api secret>"
});
at_validation.Handle('bearer z5RuNoKkZQ1cAwstP7ZhHAV8NcmljulxPHzOvNuIRLQ').then(console.log).catch(console.warn);
Scope validation
In addition to API name checking, you can do more fine-grained scope checks.
at_validation.Handle('bearer <bearer>').then(claims => {
if(claims["custom_claims"] != "custom_value")
throw new Error();
//...
}).catch(console.warn):
Cache response
By default response stay cached by 5 minutes (600 sec). You can change or disable.
var at_validation = new AccessTokenHandler({
authority: 'https://localhost:5000',
apiName: "<api name>",
apiSecret: "<api secret>",
enableCache: true,
cacheDuration: 600
});
at_validation.Handle('bearer <bearer>').then(console.log).catch(console.warn);
Restrict token type
You can explicit disable JWT or Reference tokens.
var at_validation = new AccessTokenHandler({
authority: 'https://localhost:5000',
supportedTokens = SupportedTokens.Jwt
});
at_validation.Handle('bearer <bearer>').then(console.log).catch(console.warn);
Audience
By default it checks audience. If you are running through API Gateway and validating many requests disable it.
var at_validation = new AccessTokenHandler({
authority: 'https://localhost:5000',
apiName: '<api name>'
checkAudience = false;
});
at_validation.Handle('bearer <bearer>').then(console.log).catch(console.warn);
License
Node Access Token Validation is Open Source software and is released under the MIT license. This license allow the use of Node Access Token Validation in free and commercial applications and libraries without restrictions.