JSON Web Token (JWT) Bearer Token for OAuth 2.0 user authentication strategy for Passport, using HTTP Bearer authentication and jsonwebtoken.
This module lets you authenticate requests containing a JSON Web Token (JWT) encoded and signed OAuth2 access token, in your Node.js applications.
Bearer tokens are typically used protect API endpoints, and are often issued using OAuth 2.0.
JSON Web Toke (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
This authentication strategy extend the HTTP Bearer authentication to add verification of the JWT token. The verification of the token includes signature, expiration, issuer and audience validations.
By plugging into Passport, bearer token support can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
$ npm install passport-http-jwt-bearer
The HTTP JWT Bearer authentication strategy authenticates users using a bearer
token. The strategy requires a secret (when using HMAC) or a PEM encoded
public key (when using RSA or ECDSA) to validate the signature of the token.
And a verify
callback, which accepts that token and calls done
providing a
user. Optional info
can be passed, typically including associated scope,
which will be set by Passport at req.authInfo
to be used by later middleware
for authorization and access control.
var JwtBearerStrategy require('passport-http-bearer')
passport.use(new JwtBearerStrategy(
secretOrPublicKey,
function(token, done) {
User.findById(token.sub, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
return done(null, user, token);
});
}
));
Use passport.authenticate()
, specifying the 'jwt-bearer'
strategy, to
authenticate requests. Requests containing bearer tokens do not require
session support, so the session
option can be set to false
.
For example, as route middleware in an Express application:
app.get('/profile',
passport.authenticate('jwt-bearer', { session: false }),
function(req, res) {
res.json(req.user);
});
Bearer tokens are typically issued using OAuth 2.0. OAuth2orize is a toolkit for implementing OAuth 2.0 servers and issuing bearer tokens. Once issued, this module can be used to authenticate tokens as described above.
When issuing a JWT Token, the token is signed using either a secret shared with consumers, or a private key. jsonwebtoken is a toolkit that can be used to produce JWT Token.
- OAuth2orize — OAuth 2.0 authorization server toolkit
- jsonwebtoken - JSON Web Token implementation
$ npm install
$ npm test
- Pierre Buyle
- Jared Hanson, author and maintainer of passport and passport-http-bearer.
- Matias Woloski, author and maintainer of jsonwebtoken.