4

I'm working in a project with Loopback version 4, a Node.js framework. I need to implement authentication with Auth0. However, it seems Auth0 is not compatible with version 4 of Loopback. I couldn't find any documentation, or even a tutorial, about this subject. Anybody there has ever implement authentication with Auth0 in Loopback 4?

blackjack
  • 1,081
  • 2
  • 13
  • 30

2 Answers2

5

One of the LoopBack team members has recently implemented a proof-of-concept application showing how to integrate with Auth0. You can find the repository here:

https://github.com/raymondfeng/loopback4-example-auth0

Miroslav Bajtoš
  • 10,667
  • 1
  • 41
  • 99
4

Hello from the LoopBack team

Authentication and authorization are features that we are actively working on right now (as of June 2019). As far as I can tell from Auth0 docs (see Server Client + API: Node.js Implementation for the API), they are using JWT tokens.

Fortunately, we already have an example application demonstrating JWT-based authentication - see https://github.com/strongloop/loopback4-example-shopping

Take a look at JWTService class, it's the place where the client-provided tokens are parsed and verified.

The Express example provided by Auth0 uses express-jwt package that wraps jsonwebtoken into an Express middleware.

In LoopBack, we call jsonwebtoken directly.

To adapt the Express based example provided by Auth0, it should be enough to figure out how to pass relevant bits of express-jwt configuration to jsonwebtoken library.

Here is the configuration copied from Auth0 docs:

// Create middleware for checking the JWT
const checkJwt = jwt({
  // Dynamically provide a signing key based on the kid in the header and the singing keys provided by the JWKS endpoint.
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://YOUR_DOMAIN/.well-known/jwks.json`
  }),

  // Validate the audience and the issuer.
  audience: process.env.AUTH0_AUDIENCE,
  issuer: `https://YOUR_DOMAIN/`,
  algorithms: ['RS256']
});

Here is how LoopBack's JWTService calls jsonwebtoken library:

https://github.com/strongloop/loopback4-example-shopping/blob/5f36ae289f50d67bcdc33637c0323daa1f10e02b/packages/shopping/src/services/jwt-service.ts#L35 

const decryptedToken = await verifyAsync(token, this.jwtSecret);

Note that jwtSecret is injected into the service, we are configuring it here:

https://github.com/strongloop/loopback4-example-shopping/blob/2d8978d0d72150caf95573c362402491a92757e7/packages/shopping/src/application.ts#L76-L78

    this.bind(TokenServiceBindings.TOKEN_SECRET).to(
      TokenServiceConstants.TOKEN_SECRET_VALUE,
    );

I believe you need to replace TokenServiceConstants.TOKEN_SECRET_VALUE with the value returned by jwksRsa.

this.bind(TokenServiceBindings.TOKEN_SECRET).to(
  jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://YOUR_DOMAIN/.well-known/jwks.json`
  }),
})

Remaining things to figure out:

  • How to apply audience, issuer and algorithms options.

  • I am not sure if jsonwebtoken supports dynamic secrets out of the box. If the proposal above does not work, then you may need to look into express-jwt sources to find out how they are handling dynamic secrets.

I hope my answer provides enough pointers that will allow you to figure the missing details yourself. It would be great if you could post the full working solution if you manage to work it out.

Miroslav Bajtoš
  • 10,667
  • 1
  • 41
  • 99
  • Hello Miroslav Something not clear to me is: Are we obliged to manage a login endpoint to be able to get jwt tokens using the Loopback solution without auth0? – Philippe Corrèges Nov 22 '19 at 09:54