- authorizationServer, protectedResource, and client node.js webservers.
Base on OAuth in action (https://github.com/oauthinaction/oauth-in-action-code)
Create 4 loop back interfaces on the Windows machine.
- 10.0.0.10 for the client 1.
- 10.0.0.11 for the client 2, to test back-channel logout, 2 clients are needed.
- 20.0.0.25 for the authorizationServer.
- 30.0.0.30 for the protectedResource.
npm install
node authorizationServer.js
# OIDC Authorization Server is listening at http://20.0.0.25:9001
# http://20.0.0.25:9001/.well-known/openid-configuration
node protectedResource.js
# OIDC Resource Server is listening at http://30.0.0.30:9002
node client.js
# OIDC Client is listening at http://10.0.0.10:9000
node client.js --ip=10.0.0.11 --port=9000
# OIDC Client is listening at http://10.0.0.11:9000
- User authentication
- User approval
- Authorization code flow
- Session management
- RP initiated logout - pass id_token_hint to authorizationServer when user logs out.
- Back-channel log out
- Dynamic client registration
- authorizationServer publishes its configuration at /.well-known/openid-configuration
- client fetches authorizationServer configuration before registering to the authorizationServer
- authorizationServer publishes its jwks at /jwks
- client verifies the signature of the token via the key from address-of-authorizationServer/jwks
- Add test cases (mocha, supertest, chai)
- authorization server
node node_modules\mocha\bin\mocha test\as-test.js
- authorization server
- user management
- store user into database
- register
- change password
- Security protections
csurf
- updated the test case to store and use the csrf from cookie and res.body
- https
# keys and certs generated via below command openssl genrsa -out key.pem openssl req -new -key key.pem -out csr.pem openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem rm csr.pem
- hash the password using
bcrypt
- use
helmet
to secure the HTTP headers
- Add test cases
- authorization server
- client
- protected resource server
- re-register to the authorization server if access from client to it failed due to
unknown-client
- protect and error handling for all client APIs
- protect and error handling for all authorization server APIs
- protect and error handling for all protectedResource server APIs
- store session data into database
- user management
- delete account