Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/curityio/oauth-agent-node-express
A Node.js OAuth Agent, providing API driven OAuth and OpenID Connect for SPAs
https://github.com/curityio/oauth-agent-node-express
express oauth-agent oauth2 openid-connect spa token-handler
Last synced: 1 day ago
JSON representation
A Node.js OAuth Agent, providing API driven OAuth and OpenID Connect for SPAs
- Host: GitHub
- URL: https://github.com/curityio/oauth-agent-node-express
- Owner: curityio
- License: apache-2.0
- Created: 2021-07-26T10:12:57.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2024-09-25T12:55:26.000Z (4 months ago)
- Last Synced: 2025-01-03T01:18:40.423Z (8 days ago)
- Topics: express, oauth-agent, oauth2, openid-connect, spa, token-handler
- Language: TypeScript
- Homepage: https://curity.io/resources/learn/standard-oauth-agent/
- Size: 594 KB
- Stars: 48
- Watchers: 5
- Forks: 18
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# A Node.js OAuth Agent for SPAs
[![Quality](https://img.shields.io/badge/quality-test-yellow)](https://curity.io/resources/code-examples/status/)
[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)## Overview
The OAuth Agent acts as a modern `Back End for Front End (BFF)` for Single Page Applications.\
This implementation demonstrates the standard pattern for SPAs:- Strongest browser security with only `SameSite=strict` cookies
- The OpenID Connect flow uses Authorization Code Flow (PKCE) and a client secret![Logical Components](/doc/logical-components.png)
## Architecture
The following endpoints are implemented by the OAuth agent.\
The SPA calls these endpoints via one liners, to perform its OAuth work:| Endpoint | Description |
| -------- | ----------- |
| POST /oauth-agent/login/start | Start a login by providing the request URL to the SPA and setting temporary cookies |
| POST /oauth-agent/login/end | Complete a login and issuing secure cookies for the SPA containing encrypted tokens |
| GET /oauth-agent/userInfo | Return information from the User Info endpoint for the SPA to display |
| GET /oauth-agent/claims | Return ID token claims such as `auth_time` and `acr` |
| POST /oauth-agent/refresh | Refresh an access token and rewrite cookies |
| POST /oauth-agent/logout | Clear cookies and return an end session request URL |For further details see the [Architecture](/doc/Architecture.md) article.
## Deployment
Build the OAuth agent into a Docker image:
```bash
npm install
npm run build
docker build -t oauthagent:1.0.0 .
```Then deploy the Docker image with environment variables similar to these:
```yaml
oauth-agent:
image: oauthagent:1.0.0
hostname: oauthagent-host
environment:
PORT: 3001
TRUSTED_WEB_ORIGIN: 'https://www.example.com'
ISSUER: 'https://login.example.com/oauth/v2/oauth-anonymous'
AUTHORIZE_ENDPOINT: 'https://login.example.com/oauth/v2/oauth-authorize'
TOKEN_ENDPOINT: 'https://login-internal/oauth/v2/oauth-token'
USERINFO_ENDPOINT: 'https://login-internal/oauth/v2/oauth-userinfo'
LOGOUT_ENDPOINT: 'https://login.example.com/oauth/v2/oauth-session/logout'
CLIENT_ID: 'spa-client'
CLIENT_SECRET: 'Password1'
REDIRECT_URI: 'https://www.example.com/'
POST_LOGOUT_REDIRECT_URI: 'https:www.example.com/'
SCOPE: 'openid profile'
COOKIE_DOMAIN: 'api.example.com'
COOKIE_NAME_PREFIX: 'example'
COOKIE_ENCRYPTION_KEY: 'fda91643fce9af565bdc34cd965b48da75d1f5bd8846bf0910dd6d7b10f06dfe'
CORS_ENABLED: 'true'
SERVER_CERT_P12_PATH: '/certs/my.p12'
SERVER_CERT_P12_PASSWORD: 'Password1'
```If the OAuth Agent is deployed to the web domain, then set these properties:
```yaml
COOKIE_DOMAIN: 'www.example.com'
CORS_ENABLED: 'false'
```In development setups, HTTP URLs can be used and certificate values left blank.
## OAuth Agent Development
See the [Setup](/doc/Setup.md) article for details on productive OAuth Agent development.\
This enables a test driven approach to developing the OAuth Agent, without the need for a browser.## End-to-End SPA Flow
Run the below code example to use the OAuth Agent in an end-to-end SPA flow:
- [SPA Code Example](https://github.com/curityio/spa-using-token-handler)
## Website Documentation
See the [Curity Token Handler Design Overview](https://curity.io/resources/learn/token-handler-overview/) for further token handler information.
## More Information
Please visit [curity.io](https://curity.io/) for more information about the Curity Identity Server.