The Passport Strategy for IBM MobileFirst™ Foundation Security
The module passport-mfp-token-validation provides IBM MobileFirst Foundation passport strategy to validate the request authorization header that accesses the protected resource.
For working with specific versions of MobileFirst Foundation, the module should be installed with the specific version:
MobileFirst Foundation V7.0.0
$ npm install firstname.lastname@example.org.X
MobileFirst Foundation V7.0.1
$ npm install email@example.com.X
MobileFirst Foundation V8.0.X
$ npm install firstname.lastname@example.org.X
var express = ;var passport = Passport;var mfpStrategy = Strategy;var scope = 'usernamePassword';var strategyName = 'mobilefirst-strategy';var logger = ;loggerlevel = 'debug';passport;var app = ;app;app;app;
$ npm install express$ npm install passport-mfp-token-validation$ npm install winston
authServerUrl(Mandatory) Specifies the URL of the MobileFirst Server.
confClientIDRequired only in case of internal authorization server. Specifies the confidential client ID, which should be defined in MobileFirst Server.
confClientPassRequired only in case of internal authorization server. Specifies the confidential client password, which should be defined in MobileFirst Server.
cacheSizeThe maximum number of tokens to be stored in the cache. The default value is 50000. In case of 0, no token is saved in cache. In case of negative number, the default is taken.
nameThe strategy's name. The default value is 'mobilefirst-strategy'.
loggerDefines a logger instance. The default value is the IBM® default logger with INFO level, which outputs log messages to the console.
certificateSpecifices the path to the authorization server's SSL certificate. If the connection to the authorization server uses SSL, you need to obtain the SSL certificate from the Authorization server, and put it in a local directory. Use the following command to obtain the certificate: 'openssl s_client -connect AUTH_SERVER_URL:AUTH_SERVER_SSL_PORT | openssl x509 > certificate.crt'.
analytics.onpremise is optional variable, which contains :
urlThe url that specifies the location of the operational analytics server. For example,
usernameThe username if credentials are required.
passwordThe password if credentials are required.
The middleware contains:
strategyName(Mandatory) Specifies the strategy's name. The default value is 'mobilefirst-strategy'.
session(Mandatory) Must always be false.
scopeSpace-separated list of scopes elements that are required for accessing the resource.
Obtaining a Token
The passport-mfp-token-validation module obtains a token for itself from the token endpoint. It must be defined as a confidential client in order to receive a token.
The passport-mfp-token-validation module verifies the authorization header of the request. The authorization header consists of the following elements:
Bearer(Mandatory) Is the required string for the token type, as defined in the OAuth 2.0 specification.
- Access_token (Mandatory) The generated token by MFP OAuth provider.
The passport-mfp-token-validation module sends the access token to MFP introspection endpoint, along with the token of the module itself. The access token is verified by the MFP token endpoint, which sends a response. If the response is verified successfully by the module, an access to the protected resource is granted. In addition, the securityContext object will be a part of the request.
After a successful validation, a security context is added to the current request. In addition, it is used for caching and analytics.
securityContext object contains the following fields:
- active: Specifies Whether the context is active.
- client_id: The client ID. It's composed by the device ID and application ID. There could be several client IDs on one device.
- exp: The expiration time since epoch time.
- mfp-device: The device value. Contains deviceDisplayName, deviceStatus, id, model and os.
- mfp-application: The application value. Contains clientPlatform, id, packageName and version.
- mfp-user: The user value. Contains attributes, authenticatedAt, authenticatedBy, displayName and id.
- mfp-checks: Contains all the checks which the user passed.
- scope: Space-separated string containing the list of the granted scopes names.
- username: The username. It can be created by a security check and it's optional. The default value is an empty string.
IBM MobileFirst Foundation (cross-platform) - change the link
IBM MobileFirst Foundation for iOS (iOS only) - change the link
This package contains sample code provided in source code form. The samples are licensed under the under the Apache License, Version 2.0 (the "License"). You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 and may also view the license in the license.txt file within this package. Also see the notices.txt file within this package for additional notices.