Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
restify middleware to enable OpenID Connect claims based authentication against an oidc provider (tested against Okta Preview).
This project basically came about as I wanted to make use of Json Web Tokens in a microservers architecture to pass around claims related to identity without constantly querying the OAuth server.
The purpose here is to prove to the microservices who you are, not what you can do. Subsequently; you'll need to think about AuthZ, and your implementation is going to be highly dependent on your architecture (each service might have it's own AuthZ? You might not need AuthZ because everyone can do everything if they're authenticated?).
Remember the JWT is just a signed set of claims, by one server, that another server trusts. For example:
"Hi Application Server, I want to access your resources and my username is bob, here is proof i am bob from Okta in the form of a JWT that's signed by Oktas private key"
Your user is visiting a web page which aggregates information from multiple other microservices, each of those microservices however needs to know that you're authenticated, and who you are in order to provide the information back to you.
The sequence looks like this:
Note: Security Consideration: If a JWT is going to leave your network; it would be good practice to dereference it first. For example; if NGINX was in front of all of these services, it could handle the referencing of an incoming arbitary token to a JWT, which is then passed to the upstream.
Here is an example of the above flow using restify
let restify = require('restify');
let oidc = require('oidc');
let server = restify.createServer({
name: 'Your super awesome application server',
version: '0.1.0'
});
server.use(restify.acceptParser(server.acceptable));
server.use(restify.queryParser());
server.use(restify.bodyParser());
let auth = new oidc.Auth({
oidcServer: 'https://youraccount.oktapreview.com',
clientId: 'clientid-here',
clientSecret: 'clientsecret-here',
callbackURL: 'http://127.0.0.1:9000/auth/okta/callback'
});
let middleware = new oidc.middleware.Restify(auth);
// Visiting this url, will redirect you to Okta for OAuth autentication
server.get(
'/auth/okta',
middleware.auth({
redirectToOidc: true
})
);
// This URL is called back from Okta
server.get(
'/auth/okta/callback',
middleware.auth(),
(req, res, next) => {
// Once we have a valid jwt; redirect to the profile page using it
res.redirect('/profile?id_token=' + req.user.jwt.raw, next);
}
);
// Protected resource expects the jwt to prove who they are to be passed
// in the query string as id_token=jwthash, not passing jwt here results
// in a 401
server.get(
'/profile',
middleware.auth(),
(req, res) => {
res.send(req.user);
}
);
server.listen(9000);
To use express, just switch the middleware to 'middleware.Express', and if you want to use cookies to persist the session, add:
let cookieParser = require('cookie-parser');
app.use(cookieParser);
FAQs
Middleware for a bunch of common web servers to handle OIDC authentication.
The npm package oidc receives a total of 10 weekly downloads. As such, oidc popularity was classified as not popular.
We found that oidc demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.