@oslokommune/auth-bff 2.0.0-beta4 → 2.0.0-beta5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +28 -15
- package/dist/package.json +1 -1
- package/dist/src/config.d.ts +5 -1
- package/dist/src/config.d.ts.map +1 -1
- package/dist/src/config.js +2 -1
- package/dist/src/middleware/OidcMiddleware.js +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -65,6 +65,7 @@ auth-bff
|
|
|
65
65
|
When running in docker you should specify the version to use, and make sure it matches the one used in package.json.
|
|
66
66
|
|
|
67
67
|
Example dockerfile:
|
|
68
|
+
|
|
68
69
|
```dockerfile
|
|
69
70
|
FROM node:23-alpine AS base
|
|
70
71
|
|
|
@@ -85,7 +86,8 @@ COPY bff.config.json /application/
|
|
|
85
86
|
CMD ["auth-bff"]
|
|
86
87
|
```
|
|
87
88
|
|
|
88
|
-
To use different configuration for different environments, you can create separate config files for each and select it
|
|
89
|
+
To use different configuration for different environments, you can create separate config files for each and select it
|
|
90
|
+
at build time (using build args).
|
|
89
91
|
For example, with `bff.config.dev.json` and `bff.config.prod.json`:
|
|
90
92
|
|
|
91
93
|
```dockerfile
|
|
@@ -94,14 +96,13 @@ COPY bff.config.${ENVIRONMENT}.json /application/bff.config.json
|
|
|
94
96
|
CMD ["auth-bff"]
|
|
95
97
|
```
|
|
96
98
|
|
|
97
|
-
Or select it at runtime, using an env var:
|
|
99
|
+
Or select it at runtime, using an env var:
|
|
98
100
|
|
|
99
101
|
```dockerfile
|
|
100
102
|
COPY bff.config*.json /application/
|
|
101
103
|
CMD exec auth-bff --configFile bff.config.${ENVIRONMENT}.json
|
|
102
104
|
```
|
|
103
105
|
|
|
104
|
-
|
|
105
106
|
## Configuration
|
|
106
107
|
|
|
107
108
|
Configuration is defined in json-files that look like this:
|
|
@@ -160,7 +161,7 @@ AWS Parameter store:
|
|
|
160
161
|
This loads from the configured AWS environment. For this to work on your local machine the `AWS_PROFILE` environment
|
|
161
162
|
variable must be set, and you must be signed in to that profile
|
|
162
163
|
|
|
163
|
-
ℹ️ [See `config.ts` for a description of all config parameters](src/config.ts)
|
|
164
|
+
ℹ️ [See `config.ts` for a description of all config parameters](src/config.ts)
|
|
164
165
|
|
|
165
166
|
## Using with ID-porten (via `okdata`):
|
|
166
167
|
|
|
@@ -204,6 +205,10 @@ A new key has been created and the following parameters have been written to SSM
|
|
|
204
205
|
}
|
|
205
206
|
```
|
|
206
207
|
|
|
208
|
+
Note that when using `okDataIdPortenKeyName`, that key is used for authentication, and `clientSecret` is not used.
|
|
209
|
+
Also, since the key is fetched from Parameter Store, you must set AWS_PROFILE and be signed in to that profile when
|
|
210
|
+
running locally.
|
|
211
|
+
|
|
207
212
|
3. Done!
|
|
208
213
|
|
|
209
214
|
## Configuring session storage
|
|
@@ -216,7 +221,8 @@ sessions during front-channel logout)
|
|
|
216
221
|
> If the table does not exist, it will be automatically created with settings not appropriate for production.
|
|
217
222
|
|
|
218
223
|
|
|
219
|
-
Here is an example configuration in terraform
|
|
224
|
+
Here is an example configuration in terraform. If you are using (https://km.oslo.systems/)[Golden Path],
|
|
225
|
+
you can simply copy this to a file in your application stack, and run `terraform apply`
|
|
220
226
|
|
|
221
227
|
```terraform
|
|
222
228
|
resource "aws_dynamodb_table" "session_dynamodb_table" {
|
|
@@ -287,8 +293,8 @@ dynamodb:UpdateItem
|
|
|
287
293
|
|
|
288
294
|
## React component
|
|
289
295
|
|
|
290
|
-
This package also includes a React component for handling authentication state. It will redirect to login if required
|
|
291
|
-
and optionally automatically poll for changes to authentication state.
|
|
296
|
+
This package also includes a React component for handling authentication state. It will redirect to login if required
|
|
297
|
+
and optionally automatically poll for changes to authentication state.
|
|
292
298
|
|
|
293
299
|
### AuthContextProvider
|
|
294
300
|
|
|
@@ -297,28 +303,28 @@ import {AuthContextProvider} from "@oslokommune/auth-bff/react";
|
|
|
297
303
|
import {PktLoader} from "@oslokommune/punkt-react";
|
|
298
304
|
|
|
299
305
|
const fiveMinutes = 5 * 60 * 1000;
|
|
300
|
-
|
|
306
|
+
|
|
301
307
|
<AuthContextProvider authRequired={true} loaderComponent={<PktLoader/>} pollInterval={fiveMinues}>
|
|
302
308
|
<App/>
|
|
303
309
|
</AuthContextProvider>
|
|
304
310
|
```
|
|
305
311
|
|
|
306
|
-
| Option
|
|
307
|
-
|
|
308
|
-
| authRequired
|
|
312
|
+
| Option | Description |
|
|
313
|
+
|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
314
|
+
| authRequired | Whether authentication is required. If true, will redirect to login before rendering child components (default: true) |
|
|
309
315
|
| loaderComponent | React component to display while loading auth state. (default: null) |
|
|
310
|
-
| baseUrl
|
|
311
|
-
| pollInterval
|
|
312
|
-
|
|
316
|
+
| baseUrl | Must be set to the same baseUrl as in the json config for login/logout to work correctly (default: '') |
|
|
317
|
+
| pollInterval | Minimum interval in milliseconds between checks if session is still active. Will set authState to 'expired' if session is expired (default: disabled) |
|
|
313
318
|
|
|
314
319
|
### useAuthContext
|
|
315
320
|
|
|
316
321
|
Hook to get current AuthState. Must be called in a component inside the AuthContextProvider.
|
|
322
|
+
|
|
317
323
|
```tsx
|
|
318
324
|
import {useAuthContext} from "@oslokommune/auth-bff/react";
|
|
319
325
|
|
|
320
326
|
const {user, authState, login} = useAuthContext()
|
|
321
|
-
if(authState === 'authenticated') {
|
|
327
|
+
if (authState === 'authenticated') {
|
|
322
328
|
console.log(`Hello, ${user.pid}`)
|
|
323
329
|
} else {
|
|
324
330
|
login()
|
|
@@ -334,6 +340,7 @@ if(authState === 'authenticated') {
|
|
|
334
340
|
| authState | Current auth state. See table below for values | | |
|
|
335
341
|
|
|
336
342
|
#### AuthState
|
|
343
|
+
|
|
337
344
|
| Value | Description |
|
|
338
345
|
|-----------------|------------------------------------------------------------------------------------------------------------------|
|
|
339
346
|
| pending | Initial value before auth state has been determined |
|
|
@@ -342,3 +349,9 @@ if(authState === 'authenticated') {
|
|
|
342
349
|
| expired | User was authenticated, but the session has expired. Can be used to display message to user or redirect to login | | |
|
|
343
350
|
| error | Failed to determine auth state | | |
|
|
344
351
|
|
|
352
|
+
## Content Security Policy
|
|
353
|
+
|
|
354
|
+
To configure the content security policy returned by the server, use the `contentSecurityPolicy` config option. This
|
|
355
|
+
configuration is passed almost as-is to (helmet)[https://github.com/helmetjs/helmet]. Since our configuration is json
|
|
356
|
+
only, not all features are supported. To set a nonce, use the special form `"{nonce}"` instead. It will be replaced by a
|
|
357
|
+
generated nonce for each request.
|
package/dist/package.json
CHANGED
package/dist/src/config.d.ts
CHANGED
|
@@ -28,6 +28,10 @@ export type BffConfig = {
|
|
|
28
28
|
* The ID of the client
|
|
29
29
|
*/
|
|
30
30
|
clientId: string;
|
|
31
|
+
/**
|
|
32
|
+
* Sets the scope parameter. Values are case-sensitive. Multiple values must be sepratated by space. Default: `openid profile`
|
|
33
|
+
*/
|
|
34
|
+
scope: string;
|
|
31
35
|
/**
|
|
32
36
|
* The client secret. Not used if `okDataIdPortenKeyName` is set.
|
|
33
37
|
*/
|
|
@@ -76,7 +80,7 @@ export type BffConfig = {
|
|
|
76
80
|
*/
|
|
77
81
|
okDataIdPortenKeyName: string;
|
|
78
82
|
/**
|
|
79
|
-
* Secret used to sign sessions
|
|
83
|
+
* Secret used to sign sessions. This can be any string, but should have at least 32 bytes of entropy in production.
|
|
80
84
|
*/
|
|
81
85
|
sessionSecret: string;
|
|
82
86
|
/**
|
package/dist/src/config.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;CACjF,CAAA;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;CACjF,CAAA;AAWD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAID,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAID,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAqB,sBAyBtF"}
|
package/dist/src/config.js
CHANGED
|
@@ -60,7 +60,7 @@ export class OidcMiddleware {
|
|
|
60
60
|
const stateKey = openIdClient.randomState();
|
|
61
61
|
const redirectUrl = req.query.redirectUrl; //TODO: håndtering av andre typer her?
|
|
62
62
|
const params = new URLSearchParams();
|
|
63
|
-
params.append('scope',
|
|
63
|
+
params.append('scope', __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").scope);
|
|
64
64
|
params.append('code_challenge', codeChallenge);
|
|
65
65
|
params.append('code_challenge_method', 'S256');
|
|
66
66
|
params.append('redirect_uri', __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").redirectUri);
|