micro-jwt-jwks-rsa-auth — JWT authorization wrapper for Micro
Usage
An Authorization
header with value Bearer MY_TOKEN_HERE
is expected to be present in all requests. The decoded token will be available as req.jwt
after successful authentication for other handlers.
If the token is missing or validation fails, an Error
will be thrown with the statusCode
property set to 401. This is handled automatically by the micro framework, or can be intercepted with error handlers such as micro-boom.
The wrapper can be configured to validate against either a fixed secret or dynamically using jwks-rsa.
const jwtAuth = const auth = const handler = asyncreq res ... // Your micro logic moduleexports =
Mandatory Configuration Options
- Fixed
secret
only (no jwks-rsa) jwksRsaConfig
configuration only (kid
is looked up from request jwt token headers)jwksRsaConfig
and fixedkid
(kid
on jwt is ignored)
Optional Configuration Options
validAudiences
: List of audiences considered valid. If omitted, audience is not validated.whitelist
: List of paths where authentication is not enforced (token will still be decoded if present)resAuthMissing
: Custom error message for missing authentication headerresAuthInvalid
: Custom error message for invalid tokenresAudInvalid
: Custom error message for invalid audience
Examples
With Fixed Secret
'use strict' const jwtAuth = const auth = ; const handler = asyncreq res return `Ciaone !` moduleexports =
With jwks-rsa Instead of Fixed Secret
'use strict' const jwtAuth = const ms = const jwksRsaConfig = strictSsl: true cache: true cacheMaxEntries: 5 cacheMaxAge: jwksUri: 'https://<your-auth-domain>/.well-known/jwks.json'const auth = ;// Fixed kid: jwtAuth({ jwksRsaConfig: jwksRsaConfig, kid: 'abcdefg' }); const handler = asyncreq res return `Ciaone !` moduleexports =
With micro-router
'use strict' const router get post put patch del = const jwtAuth = const auth = ; // All routesconst routes = moduleexports = // Individual routesconst routes = moduleexports = routes
Credits
Most of the code is based on micro-jwt-auth.