anvilresearch / connect-nodejs Goto Github PK

Extract the non-OIDC Admin API (user/client/etc management) to its own standalone client lib.

In my application I do the following

client.token({code: 'aabbcc'})
  .then(function(){
    client.register({})
  })
.catch(...)

The token sent to the register endpoint is Bearer undefined because in the client->register function the token is got like this:

var token = this.tokens && this.tokens.access_token

but this.tokens is undefined. Am I doing something wrong?

Hi,

are there any plans to support the .well-known/openid-configuration endpoint of a openid connect server? It should simplify setup somewhat.

Regards,
Daníel

I've run into an issue in a few instances where an access token is not being verified by AccessToken.verify and the "Insufficient scope" error is being thrown, it's coming from this line:

https://github.com/anvilresearch/connect-nodejs/blob/master/lib/AccessToken.js#L160

I wonder if this check is too restrictive, e.g if an access token has the scope:

"openid email profile phone"

And the Anvil Connect instance is configured with the scope:

"openid profile phone email"

Equally if an access token has any additional scopes the verification will also fail.

Is this by design? Should the scope verification match the exact string, or could we explode the scopes string into components and check that the JWT scopes match on a per-scope basis? Or maybe I'm missing something about this scope verification check entirely?

Happy to provide a patch for this but wanted to check up on the motivation for this design beforehand.

Been looking around in the code as to what is generating the following error:
Access Token verify with verifiable JWT and mismatching audience should provide an error description

I can't find any mention of the AccessToken.decode function

I wouldn't mind taking a crack at it if you can tell me a little about what exactly it is supposed to return.

Setting this to for example the access_token gives [TypeError: Cannot read property 'indexOf' of undefined] in a .catch error message.

I try to use updateUser for changing user's password, but it don't work.
Workaround is adding changePassword method into
https://github.com/anvilresearch/connect-nodejs/blob/master/rest/users.js

something like this

function changePassword (id, password, options) {
  options = options || {}
  options.url = '/v1/users/' + id + '/password'
  options.method = 'PATCH'
  options.json = {password: password}
  return request.bind(this)(options)
}
exports.changePassword = changePassword

Please add it into some future release

You may want to add in something like:
self.tokens = tokens in connect-nodejs/index.js
to your token function (starts around line 260)

Currently the userinfo function is trying to access anvil.tokens which does not exist.
(This is using the example code from the README)

We can eliminate the need to configure a public key for JWT verification by fetching JWKs from the auth server. This will require updates to https://github.com/christiansmith/anvil-connect-jwt as well, so we can verify signatures from hN + hE instead of a PEM encoded public key.

The test Access Token verify with verifiable JWT and mismatching audience should provide an error description is failing due to anvilresearch/connect-jwt#5 and this is becoming an issue.

Implement signout() function that hits the OIDC provider's /signout API endpoint, and passes along the required params:

• id_token_hint (the ID Token of the signed in user)
• post_logout_redirect_uri (must be one of the pre-registered post-logout redirect urls)

In order to use much of the Anvil-specific API (say to create users), the nodejs client needs an access token.
From talking with @christiansmith, it sounds like that token comes from one of two places:

1. A user's access token (received in the request). (Note to self: ask what sort of privileges the user must have in order to make this work? Some sort of admin role?)
2. A client’s access token obtained from the token endpoint with client_credentials grant (works like an API key).

In the context of client.users.create(), there isn't a user yet, so no access token is possible from that source. Which means, the client should be able to load that client access token. So:

Implement client.loadClientCredentials():

• assumes prior client registration and a call to .initProvider() to load endpoints etc.
• makes a POST request to the provider's /token endpoint, w client_id + client_secret.
• params in the body: grant_type=client_credentials

For reference:

• see the implementation of client auth in models/Client.js on the server
• OAuth 2.0 Client Credentials Grant specs
• OIDC / Client Authentication spec