predix-acs-client
Node module to check authorization for a user to perform an action against Predix ACS policies. Primarily used when protecting REST endpoints with UAA JWT tokens.
NOTE that the client credentials that you use to query ACS must have the appropriate permissions to do so.
As this is a UAA client, these should be added as authorities, not scopes.
The minimun is acs.policies.read
and predix-acs.zones.your-acs-zone-id.user
Usage
Install via npm
npm install --save predix-acs-client
Basic usage with a known user and ACS endpoint
const config = uaa: uri: 'https://your-uaa-service.predix.io/oauth/token' clientId: 'your-uaa-client' clientSecret: 'your-uaa-secret' acsUri: 'https://predix-acs.example.predix.io' zoneId: 'your-acs-zone-id';const acs = config;acs;
As an expressjs middleware
'use strict';const express = ;const app = ; // Configure the ACS clientconst options = uaa: uri: 'https://your-uaa-service.predix.io/oauth/token' clientId: 'your-uaa-client' clientSecret: 'your-uaa-secret' acsUri: 'https://predix-acs.example.predix.io' zoneId: 'your-acs-zone-id';const acs = options; app; // To ensure Authorization header has a bearer token// use something like predix-fast-token https://github.com/PredixDev/predix-fast-token // This assumes that the user token has been validated alreadyappall'*' { // This would come from the token const username = 'demo'; // This defaults to using: // req.method as the ACS action // req.path as the ACS resourceIdentifier // username as the ACS subjectIdentifier // If you want to use a resource name other than the path, // just pass in a new object - see example above acs;}; app; // Need to let CF set the port if we're deploying there.const port = processenvPORT || 9001;app;console;
Working together with predix-fast-token as an expressjs middleware
'use strict';const express = ;const bearerToken = ;const predixFastToken = ;const app = ; // Configure the ACS clientconst options = uaa: uri: 'https://your-uaa-service.predix.io/oauth/token' clientId: 'your-uaa-client' clientSecret: 'your-uaa-secret' acsUri: 'https://predix-acs.example.predix.io' zoneId: 'your-acs-zone-id';const acs = options; const trusted_issuers = 'https://abc.predix-uaa.example.predix.io/oauth/token' 'https://xyz.predix-uaa.example.predix.io/oauth/token/oauth/token'; app; // Ensure Authorization header has a bearer tokenappall'*' { console; ifreqtoken predixFastToken; else console; resstatus401; }; app; // Need to let CF set the port if we're deploying there.const port = processenvPORT || 9001;app;console;