| Statements | Branches | Functions |
|---|---|---|
 |
 |
 |
Version 1.1.2
Cryptr Authentication Strategy for Passport.js.
Use it in your Node/Express/Nest project when you are using PassportJs to authorize actions or access specific controller routes
Based on passport-strategy@1.x.x and passport@^0.6.0
You have two choices :
- Use Environnment variables:
# .env
CRYPTR_AUDIENCES=YOUR_FRONT_CLIENT_URLS
CRYPTR_CLIENT_IDS=YOUR_FRONT_CLIENT_IDS
CRYPTR_TENANTS=YOUR_TENANT_DOMAINS
CRYPTR_BASE_URL=ISSUER_FOR_YOUR_DOMAIN
CRYPTR_TEST_MODE=false- Use config struct
Your config should follow this interface
{
audiences: string[],
tenants: string[],
client_ids: string[],
base_url: string
}example:
const CRYPTR_DEV_CONFIG = {
"audiences": ["http://127.0.0.1:3000"],
"client_ids": ["8363b1b4-68bb-4257-9e45-5513aecc1703"],
"tenants": ["my-domain"],
"base_url": "https://my-domain.authent.me"
}For now, opts follow this struct
opts?: {
test: boolean
}opts value for test will be
- prior to
CRYPTR_TEST_MODEenv value - or result of
NODE_ENV === 'development'if prior not succeed
Major change to this version is that this new one requires client_ids in configuration
Structure
interface Claims {
aud: string
cid: string
exp: number
iat: number
ips string // "cryptr" or provider (ex: azure_ad)
iss: string
jti: string
jtt: string
resource_owner_metadata: any
sci: string | null // SSO Connection ID
scp: Array<string>
sub: string
tnt: string
version: number
}
interface CryptrStrategyResult {
valid: boolean
claims?: Claims
errors?: string
}-
valid-> is the token provided is validated from our service -
claimsall data that we can provide to you about the claims of the token -
errors-> Inform you about what makes it not valid (mainlyNo Compliant claims)
The purpose of the result is there to help you authorize or not the end-user to access or do something. If all your tests are successfull -> authorize If not you should throw an unauthorized error
No need really to expand how but if you don not need extra data from claims you can basically check for success:
let success = res.valid && res.claims !== undefined && res.errors === undefinedThis section explain how to manage claims in aim to authorize your end-user action
Main properties to check:
resource_owner_metadatascptntexpversionips
-
resource_owner_metadatathis property reflects metadata you register in Cryptr DB about your end-user properties. This is an object or a null value
your_user_id related to the ID of the end user in your DB
section related to your website section where to redirect end-user
page-preferences related to page settings end-user chose
-
scpis the current allowed scope for this token.
the value is one of defined in your applciation allowed_scopes
['limited'] that means you should constrain end-user to limited actions/access . This value occurs mainly when token came from a refresh token rotation.
-
tntshould ALWAYS be your cryptr tenant domain -
expis a timestamp and represent when this token expires, If it's in the past it should be not valid -
versionIs now1but may increment in future update of this strategy -
ipsRepresentcryptrif you are in magic link process, even it's the SSO provider ex:azure_ad -
sciOnly set if you are on SSO process, representing the ID of the connection SSO used ex:shark_academy_Bew14hd05jd
Some changes where applied to JWT structure. Here are some of them
sciipsapplication_metadata
-
tntis noworg -
dbsis nowenv -
resource_owner_metais nowmeta_databulb see New claims
-
The first one is
identitiesthat retrieve all information on any connection used by the end-user for his authentications. Quick sneak of `identities`` item skeleton-
idp_idconnection ID -
authenticated_atunix timestamp of connection -
providerused provider to connect -
dataany data from the connection (ex: all SSO attributes if it's SSO)
-
-
dp_user_idis present if Cryptr retrieve the ID from the connection provider -
profileis now the drawer where you can retrieve any known user properties such asfamily_name,given_name...