Express with typescript openid

Manage auth with openid server

Stack

Node + Typescript + Express

Required

SSL certificate for Https

Use mkcert tool

See installation on mkcert github page

Move to certificates directory

cd certificates

Create local Certificate Authority

mkcert -install

Generate signed certificate for domain

mkcert "auth.myproject.local"

Resolve your deomain to local, edit /etc/hosts

127.0.0.1 auth.myproject.local

Define your own env file

cp .env.template .env

Dependencies

packages global or local

• typescript
• ts-node

Packages :

• express : framework
• dotenv: env config loader
• body-parser : parse body middleware
• cors
• helmet : security middleware
• morgan : logger middleware

Conventions

• tslint
• prettier

Log

• pino

Testing

• jest

Keycloak

Launch keycloak server : http://locahost:8080

docker-compose up

admin credentials (defined in docker-compose.yml)

admin
Pa55w0rd

Config

• realm : create realm with openid connect
• client > settings : ensure standard flow and direct grant selected
• roles > create role 'user'
• client scope: create scope 'skills' (disable consent)
• client > scopes : add 'skills' to default scope selected

Do not use Implicit Flow (deprecated) but Authorization Code Grant Flow with PKCE

Video about PKCE flow

JSON Web Keys(JWKs) returned by authorization server endpoint

http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/certs

Authorization Code Grant Flow with PKCE

ref : https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce

• create code verifier
• create code challenge from verifier
• Get the User's Authorization with code challenge
• Exchange the Authorization Code for an Access Token
• Call the API with Bearer :)
• verify token (JWT, claims, perms)

Infos :

• store verify code with state in cookie
• use cookie-parser middleware to retrieve cookie