Skip to main content

Auth

This service allows you to authentify users with an OIDC or CAS server.

Features#

  • Handle OIDC and CAS servers in a single package
  • Integrate easily with Moleculer's ApiGateway
  • Handle local logout and remote logout

Dependencies#

Install#

$ npm install @semapps/auth --save

Generating JWT token#

First generate a public and private keys for the JWT token that will be automatically generated.

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key -P ""
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub

Usage#

const { AuthService } = require('@semapps/auth');
const path = require('path');
module.exports = {
mixins: [AuthService],
settings: {
baseUrl: "http://localhost:3000",
jwtPath: path.resolve(__dirname, '../jwt'),
// To set if you want to use an OIDC server
oidc: {
issuer: "https://myissuer.com/auth/realms/master",
clientId: "myClientId",
clientSecret: "myClientSecret",
},
// To set if you want to use a CAS server
cas: {
url: "https://my-cas-server.com/cas",
}
// Return data for the creation of the webId profile (FOAF Person).
// Available fields: email (required), name, familyName, nick, homepage
selectProfileData: authData => ({
email: authData.email,
name: authData.given_name,
familyName: authData.family_name
})
}
};

To protect the different routes, you will need to configure the authenticate and authorize methods of the ApiGatewayService to call AuthService's respective actions.

const { ApiGatewayService } = require('moleculer-web');
module.exports = {
mixins: [ApiGatewayService],
methods: {
authenticate(ctx, route, req, res) {
return ctx.call('auth.authenticate', { route, req, res });
},
authorize(ctx, route, req, res) {
return ctx.call('auth.authorize', { route, req, res });
}
}
}

For more information, please see the official Moleculer documentation about authorization and authentication.

It is important that you do not put the AuthService as a dependency of the ApiGatewayService, because the ApiGatewayService is a dependency of AuthService, and you will get a circular dependencies loop.

Client login#

From the frontend, redirect the user to this URL:

http://localhost:3000/auth/?redirectUrl=...

After login, the user will be redirected to the provided redirectUrl, and to this URL will be added the JWT token as a query string. You should store it and remove it like this:

const url = new URL(window.location);
if (url.searchParams.has('token')) {
localStorage.setItem('token', url.searchParams.get('token'));
url.searchParams.delete('token');
window.location.href = url.toString();
}

Client logout#

From the frontend, redirect the user to this URL:

http://localhost:3000/auth/logout?redirectUrl=...

If you wish to logout the user remotely (on the SSO), you can do:

http://localhost:3000/auth/logout?global=true&redirectUrl...

Events#

auth.registered#

Sent when a new user registers.

Parameters#
PropertyTypeDescription
webIdStringURI of the user
profileDataObjectData of the user's webId profile
authDataObjectData returned by the OIDC or CAS provider

auth.connected#

Sent when an user connects.

Parameters#
PropertyTypeDescription
webIdStringURI of the user
profileDataObjectData of the user's webId profile
authDataObjectData returned by the OIDC or CAS provider