Showcase: Node.js and App ID

This showcase covers securing a Node.js application with IBM App ID which is a facade for OpenID and OAuth.

Overview

Application security should not be underestimated. Especially if authentication and authorisation is required and an Identity Provider should be connected to the own application.

Fortunately, there are several clients and SDKs that support the integration. Additionally, there is a further abstraction layer with IBM App ID which simplifies the the use cases to manage authentication and authorisation. It provides the possibility to have an own user management or integrate an existing Identity Provider like Facebook, Google or even the own Enterprise Identity Provider (via SAML 2.0 Federation). In addition to that, SDKs for many programming languages are offered to make the integration as simple as possible.

This article focuses on the integration of IBM App ID in a Node.js application. Base is the existing SDK and sample.
The entire example and source code is available in GitHub: https://github.com/haf-tech/nodejs-sso

Action

For the integration we will use the App ID SDK for Node.js with the following main dependencies:

• ibmcloud-appid
• log4js
• passport
• express

The SDK supports the API and Web flow. We will use the latter. For this we need from App ID the following parameters

• tenantId
• clientId
• secret
• oauthServerUrl
• redirectUrl

You receive the parameter after creating in App ID a new Service credential. Be aware to store the parameter especially tenantId, clientId and secret securely like in a Kubernetes Secret and it should be obviously not in your source code repository.

Implement at minimum the following three endpoints for login, logout and callback - which reflects the redirectUrl.

app.get(LOGIN_URL, passport.authenticate(WebAppStrategy.STRATEGY_NAME, {  
    successRedirect: LANDING_PAGE_URL, 
    forceLogin: true 
}));

app.get(CALLBACK_URL, passport.authenticate(WebAppStrategy.STRATEGY_NAME));

app.get(LOGOUT_URL, function(req, res) { 
    WebAppStrategy.logout(req); 
    res.redirect(LANDING_PAGE_URL); 
});

Consider to register the redirectUrl in App ID, otherwise the URL will be not trusted.

• Select IBM App Id Service
• Select Manage Authentication
• Select the 2nd tab Authentication Settings
• Add the web redirect URL.

You can test the application also locally and for this you have to add the local redirect URL too.

The App ID parameters will be retrieved from the environment variables. Create a runner script setting the env variables before starting the Node.js application

$ cat run.sh 
#!/bin/sh 

export OAUTH_URL="https://...." 
export CLIENT_SECRET="NW....." 
export CLIENT_ID="12312322-aaaa-bbbb-cccc-acavavav" 
export TENANT_ID="12312324-dddd-eeee-ffff-23123ace222" 
export REDIRECT_URL="http://127.0.0.1:5000" 

npm start 

$ ./run.sh

After successful login the user profile is available with attributes like user id (sub or id) or name (given_name and family_name). A detailed definition is in the management API to retrieve user profiles listed. See for an example the following snippet

{
 "id": "111c22c3-38ea-4de8-b5d4-338744d83b0f",
 "name": "John Doe",
 "email": "johndoe@gmail.com",
 "gender": "male",
 "identities": [
  {
   "provider": "google",
   "id": "12341234123412341234",
   "idpUserInfo": {
     "id": "12341234123412341234",
     "email": "johndoe@gmail.com",
     "verified_email": true,
     "name": "John Doe",
     "given_name": "John",
     "family_name": "Doe",
     "link": "https://plus.google.com/12341234123412341234",
     "idpType": "google"
    }
   }
 ]
}

Deployment

For deploying the application into a Kubernetes Cluster use the provided resource file. This generates the deployment and defines an ingress. Here still to mention is the injection of the environment variables from an existing Secret nodejs-sso-secret

  envFrom:
    - secretRef:
        name: nodejs-sso-secret

Use the secret template to deploy the secret with your App ID parameters.

Summary

As you can see, the integration of OAuth/OpenID could be simple and with IBM App ID you can use an abstraction layer and be flexible in case you have to change the Identity Provider.

The entire show case is in GitHub and feel free to reach out in case of questions.

References

• IBM App ID Docu: https://cloud.ibm.com/docs/appid?topic=appid-getting-started
• IBM App ID API - OAuth Flow: https://cloud.ibm.com/apidocs/app-id/auth
• IBM App ID API - Management: https://cloud.ibm.com/apidocs/app-id/management
• IBM App ID API - Profiles: https://cloud.ibm.com/apidocs/app-id/profiles
• App ID SDK for Node.js: https://github.com/ibm-cloud-security/appid-serversdk-nodejs