/passport-http-jwt-bearer

HTTP JWT Bearer authentication strategy for Passport.

Primary LanguageJavaScript

passport-http-jwt-bearer

Build Status

JSON Web Token (JWT) Bearer Token for OAuth 2.0 user authentication strategy for Passport, using HTTP Bearer authentication and jsonwebtoken.

This module lets you authenticate requests containing a JSON Web Token (JWT) encoded and signed OAuth2 access token, in your Node.js applications.

Bearer tokens are typically used protect API endpoints, and are often issued using OAuth 2.0.

JSON Web Toke (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.

This authentication strategy extend the HTTP Bearer authentication to add verification of the JWT token. The verification of the token includes signature, expiration, issuer and audience validations.

By plugging into Passport, bearer token support can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.

Install

$ npm install passport-http-jwt-bearer

Usage

Configure Strategy

The HTTP JWT Bearer authentication strategy authenticates users using a bearer token. The strategy requires a secret (when using HMAC) or a PEM encoded public key (when using RSA or ECDSA) to validate the signature of the token. And a verify callback, which accepts that token and calls done providing a user. Optional info can be passed, typically including associated scope, which will be set by Passport at req.authInfo to be used by later middleware for authorization and access control.

var JwtBearerStrategy require('passport-http-bearer')

 passport.use(new JwtBearerStrategy(
   secretOrPublicKey,
   function(token, done) {
     User.findById(token.sub, function (err, user) {
       if (err) { return done(err); }
       if (!user) { return done(null, false); }
       return done(null, user, token);
     });
   }
 ));

Authenticate Requests

Use passport.authenticate(), specifying the 'jwt-bearer' strategy, to authenticate requests. Requests containing bearer tokens do not require session support, so the session option can be set to false.

For example, as route middleware in an Express application:

app.get('/profile', 
  passport.authenticate('jwt-bearer', { session: false }),
  function(req, res) {
    res.json(req.user);
  });

Issuing Tokens

Bearer tokens are typically issued using OAuth 2.0. OAuth2orize is a toolkit for implementing OAuth 2.0 servers and issuing bearer tokens. Once issued, this module can be used to authenticate tokens as described above.

When issuing a JWT Token, the token is signed using either a secret shared with consumers, or a private key. jsonwebtoken is a toolkit that can be used to produce JWT Token.

Related Modules

Tests

$ npm install
$ npm test

Credits

License

The MIT License