Node.js SDK for Baikal
Provides an authentication SDK for the 4th Platform.
Installation
npm i @telefonica/baikal-sdkUsage
Create a client
const OpenIDClient = require('@telefonica/baikal-sdk').OpenIDClient;
const client = new OpenIDClient({
authserverEndpoint: 'http://auth.xxx.baikalplatform.com',
clientId: 'your_oauth_client_id',
clientSecret: 'your_oauth_client_secret',
// For using grantUser method (jwt-bearer grant type)
clientKeys: [{ key: 'stringWithTheKey', format: 'pem' }], // optional
issuer: 'http://yourserver.com/', // your jwt issuer id
privateCertsPath: '/path/to/certs/directory', // directory to read certificates/private keys.
});Get an access_token for a user using authorization_code
This flow involves 2 steps. Refer to the ./examples/authcode.js
for a complete usage example.
// 1st step, triggered by a user login attempt: get a redirect url and a web session ready to be saved and serialized
// It's recommened that you save the session in a `secure` `httpOnly` cookie
const { url, session } = await client.authorize({
redirect_uri: 'http://your-public-host.com/callback',
scopes: ['list', 'of', 'scopes'], // optional
purposes: ['list', 'of', 'purposes'], // optional
state: 'random-string-for-each-request-with-some-context-for-you', // optional
});
// 2nd step: callback tiggered by a browser redirect launched by the authorization server.
// pass the session you saved in the earlier step an
const { access_token } = await client.grantCode(
req.query,
session,
);Get an access_token for a user using jwt-bearer
const { access_token } = await client.grantUser({
sub: 'userSUB',
scopes: ['list', 'of', 'scopes'],
purposes: ['list', 'of', 'purposes'],
authorization_id: '46921050-e97c-418b-928c-4158256be92c', //optional
});Get a client_credentials access_token
const { access_token } = await client.grantClient({
scopes: ['list', 'of', 'scopes'], // optional
purposes: ['list', 'of', 'purposes'] //optional
});Introspect an access_token
const introspection = await client.introspect({
token: 'the_access_token_you_want_to_introspect',
token_type_hint: 'Bearer', // optional
});Expose your public keys in a server route to use with a jwt-bearer
If you have configured your issuer in the authserver to read from an endpoint, you should expose your public keys in an accessible route.
// Using express as server
const OpenIDClient = require('@telefonica/baikal-sdk').OpenIDClient;
const express = require('express');
const app = express();
const client = new OpenIDClient();
app.use('/jwk', async (req, res, next) => res.json(await client.getKeyStore()));
app.listen(3000);Configuration
The OpenIDClient configuration will be read from environment if ommited
export BAIKAL_AUTHSERVER_ENDPOINT='http://auth.xxx.baikalplatform.com'
export BAIKAL_CLIENT_ID='your_oauth_client_id'
export BAIKAL_CLIENT_SECRET='your_oauth_client_secret'
export BAIKAL_ISSUER='http://yourserver.com/'
export BAIKAL_PRIVATE_CERTS_PATH='/path/to/certs/directory'Supported certs format are (should match the file extension):
- json: JSON stringified JWK
- private: DER encoded 'raw' private key
- pkcs8: DER encoded (unencrypted!) PKCS8 private key
- public: DER encoded SPKI public key (alternate to 'spki')
- spki: DER encoded SPKI public key
- pkix: DER encoded PKIX X.509 certificate
- x509: DER encoded PKIX X.509 certificate
- pem: PEM encoded of PKCS8 / SPKI / PKIX
Grant public methods accept a request config as the last argument, to allow specifying headers and timeout per-request
const { access_token } = await client.grantClient({scopes: [], purposes: []}, {
headers: {
'X-Correlator': '1234-5678-9012-3456-7890'
},
timeout: 3000,
});Use a keep-alive agent
const { OpenIDClient, httpClient } = require('@telefonica/baikal-sdk');
const https = require('https');
const httpsAgent = new https.Agent({ keepAlive: true });
httpClient.defaults.httpsAgent = httpsAgent;Debug sdk requests
We use debug package to debug our requests under the key baikal-sdk
DEBUG=baikal-sdk node your_service.jsLICENSE
Copyright 2019 Telefónica
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.