@leisurelink/auth-context

auth-context

LeisureLink client-side authentication & authorization context for node.

Background

auth-context is one of many security tools in use by the LeisureLink service ecosystem to ensure that security-principals (users and systems) are authorized to perform the actions they request.

In order to ensure the LeisureLink systems remain loosely coupled, yet maintain a high-level of security, each operation is performed within the context of an auth-token; in most cases this means that an auth-token is conveyed with each request, such as in an HTTP Authorization header. This enables each service to authenticate the caller, as well as trust identity-claims encoded within the auth-token.

In the present version, we utilize JSON Web Token (JWT) to encode our auth-token. It is fair to say that our auth-token is-a JWT.

This module embodies the client-side utilities we've built over the auth-token that enable us to perform access control and role-based security during the system's operation.

Environmental Configuration

> AUTH_ACCEPT_JWT_ISSUER=LeisureLink-authentic \
      AUTH_ACCEPT_JWT_AUDIENCE=vrHub \
      AUTH_ACCEPT_JWT_ISSUER_KEY_FILE=authentic-key.pub \
      node app.js

Types

These are types defined in this repository.

• AuthScope - an authorization scope; provides the ability to decode and verify auth-tokens for a specified issuer and audience.
• AuthContext - an authorization context; the result of decoding an auth-token, enables interrogation of a principal's claims as well as authoriztion challenges.

Dependent Types

These are types that types in this repository may use

• crProvider (Claim Resolution Provider) - A object (or library) which exposes methods for resolving local and remote claims. A object must minimally expose two methods to be considered a crProvider:

  • crProvider#getSpecResolver(lang, authenticClient) - getSpecResolver must return a function implementing function (csid, callback) where csid is a Claimset Id
  • crProvider#getClaimResolver(lang, authenticClient) - getClaimResolver must return a function implementing function (clid, systemId, callback) where clid is a Claim Id and SystemId is an identifier for a principal.

More information about the nature of the requirements placed on the returned functions can be found here.

Both of the Claim Resolutoin Provider functions accept a lang, e.g. en_US, and an instatiated AuthenticClient object.