Showcase: Node.js and App ID

This showcase covers securing a Node.js application with IBM App ID which is a facade for OpenID and OAuth.


Application security should not be underestimated. Especially if authentication and authorisation is required and an Identity Provider should be connected to the own application.

Fortunately, there are several clients and SDKs that support the integration. Additionally, there is a further abstraction layer with IBM App ID which simplifies the the use cases to manage authentication and authorisation. It provides the possibility to have an own user management or integrate an existing Identity Provider like Facebook, Google or even the own Enterprise Identity Provider (via SAML 2.0 Federation). In addition to that, SDKs for many programming languages are offered to make the integration as simple as possible.

This article focuses on the integration of IBM App ID in a Node.js application. Base is the existing SDK and sample.
The entire example and source code is available in GitHub:


For the integration we will use the App ID SDK for Node.js with the following main dependencies:

  • ibmcloud-appid
  • log4js
  • passport
  • express

The SDK supports the API and Web flow. We will use the latter. For this we need from App ID the following parameters

  • tenantId
  • clientId
  • secret
  • oauthServerUrl
  • redirectUrl

You receive the parameter after creating in App ID a new Service credential. Be aware to store the parameter especially tenantId, clientId and secret securely like in a Kubernetes Secret and it should be obviously not in your source code repository.

Implement at minimum the following three endpoints for login, logout and callback - which reflects the redirectUrl.

app.get(LOGIN_URL, passport.authenticate(WebAppStrategy.STRATEGY_NAME, {  
    successRedirect: LANDING_PAGE_URL, 
    forceLogin: true 

app.get(CALLBACK_URL, passport.authenticate(WebAppStrategy.STRATEGY_NAME));

app.get(LOGOUT_URL, function(req, res) { 

Consider to register the redirectUrl in App ID, otherwise the URL will be not trusted.

  • Select IBM App Id Service
  • Select Manage Authentication
  • Select the 2nd tab Authentication Settings
  • Add the web redirect URL.

You can test the application also locally and for this you have to add the local redirect URL too.

The App ID parameters will be retrieved from the environment variables. Create a runner script setting the env variables before starting the Node.js application

$ cat 

export OAUTH_URL="https://...." 
export CLIENT_SECRET="NW....." 
export CLIENT_ID="12312322-aaaa-bbbb-cccc-acavavav" 
export TENANT_ID="12312324-dddd-eeee-ffff-23123ace222" 
export REDIRECT_URL="" 

npm start 

$ ./

After successful login the user profile is available with attributes like user id (sub or id) or name (given_name and family_name). A detailed definition is in the management API to retrieve user profiles listed. See for an example the following snippet

 "id": "111c22c3-38ea-4de8-b5d4-338744d83b0f",
 "name": "John Doe",
 "email": "",
 "gender": "male",
 "identities": [
   "provider": "google",
   "id": "12341234123412341234",
   "idpUserInfo": {
     "id": "12341234123412341234",
     "email": "",
     "verified_email": true,
     "name": "John Doe",
     "given_name": "John",
     "family_name": "Doe",
     "link": "",
     "idpType": "google"


For deploying the application into a Kubernetes Cluster use the provided resource file. This generates the deployment and defines an ingress. Here still to mention is the injection of the environment variables from an existing Secret nodejs-sso-secret

    - secretRef:
        name: nodejs-sso-secret

Use the secret template to deploy the secret with your App ID parameters.


As you can see, the integration of OAuth/OpenID could be simple and with IBM App ID you can use an abstraction layer and be flexible in case you have to change the Identity Provider.

The entire show case is in GitHub and feel free to reach out in case of questions.






Migrate from Wordpress to Gatsby and Netlify


Einführung Apache Kafka mit Docker und Spring Boot