使用第三方OpenID Connect保护环回

时间:2016-04-03 14:27:58

标签: javascript node.js loopbackjs openid-connect keycloak

我试图使用我的第三方OpenID Connect服务(Keycloak)来保护我的环回服务,但它似乎并没有验证具有accessstokens的请求。

我的server.js:

    var loopback = require('loopback');
var boot = require('loopback-boot');

var app = module.exports = loopback();

// Passport configurators..
var loopbackPassport = require('loopback-component-passport');
var PassportConfigurator = loopbackPassport.PassportConfigurator;
var passportConfigurator = new PassportConfigurator(app);

var cont = function(req, res){
    next();
};

/**
 * Flash messages for passport
 *
 * Setting the failureFlash option to true instructs Passport to flash an
 * error message using the message given by the strategy's verify callback,
 * if any. This is often the best approach, because the verify callback
 * can make the most accurate determination of why authentication failed.
 */
var flash = require('express-flash');

// attempt to build the providers/passport config
var config = {};
try {
    config = require('../providers.json');
} catch (err) {
    console.trace(err);
    process.exit(1); // fatal
}

// -- Add your pre-processing middleware here --

// boot scripts mount components like REST API
boot(app, __dirname);

// The access token is only available after boot
app.middleware('auth', loopback.token({
    model: app.models.accessToken
}));

app.middleware('session:before', loopback.cookieParser(app.get('cookieSecret')));
app.middleware('session', loopback.session({
    secret: 'kitty',
    saveUninitialized: true,
    resave: true
}));
passportConfigurator.init();

// We need flash messages to see passport errors
app.use(flash());

passportConfigurator.setupModels({
    userModel: app.models.user,
    userIdentityModel: app.models.userIdentity,
    userCredentialModel: app.models.userCredential
});
for (var s in config) {
    var c = config[s];
    c.session = c.session !== false;
    passportConfigurator.configureProvider(s, c);
}
var ensureLoggedIn = require('connect-ensure-login').ensureLoggedIn;

app.start = function () {
    // start the web server
    return app.listen(function () {
        app.emit('started');
        var baseUrl = app.get('url').replace(/\/$/, '');
        console.log('Web server listening at: %s', baseUrl);
        if (app.get('loopback-component-explorer')) {
            var explorerPath = app.get('loopback-component-explorer').mountPath;
            console.log('Browse your REST API at %s%s', baseUrl, explorerPath);
        }
    });
};

// Bootstrap the application, configure models, datasources and middleware.
// Sub-apps like REST API are mounted via boot scripts.
boot(app, __dirname, function (err) {
    if (err) throw err;

    // start the server if `$ node server.js`
    if (require.main === module)
        app.start();
});

provider.json

{
  "oAuth2": {
    "provider": "keycloak",
    "module": "passport-openidconnect",
    "authorizationURL": "https://xxx",
    "tokenURL": "https://xxxx",
    "clientID": "xxx",
    "clientSecret": "-",
    "failureFlash": true
    }
}

我一直试图效仿这个例子:

https://github.com/strongloop/loopback-example-passport

但这并没有解释如何连接到OpenID Connect服务并保护我的API。

我也尝试过针对特定的API:

app.get('/api/Clients',  ensureLoggedIn('/login'), cont);

我想真正锁定所有API,并检查查询中是否显示了有效令牌,该令牌应由我的第三方身份验证服务验证。

提前致谢!

0 个答案:

没有答案