auth0 / express-oauth2-bearer Goto Github PK

Describe the problem you'd like to have solved

Allow for specifying other common key import methods, like X509 using a public key, or PKCS8. The jose package already has support ready for these. The certs could be fetched by making a simple net socket connection, tls upgraded, to the issuer, socket.getPeerCertificate().raw. No dependencies would be added.

Additional thought, in cases of tls, if there is no ISSUER_BASE_URL defined, default to the iss claim value. I believe this would usually be a fqdn of the issuer. Which, if reachable, should have the necessary public key as part of it's TLS cert. I believe this would be the most common use case and would just work out of the box for most folks.

Describe the ideal solution

When setting up the middleware, pass a string that for the desired method in which a key should be imported: i.e. 'jwks' | 'x509' | 'pkcs' , defaulting to jwks.

i.e.

auth({method:'x509'});
// or for simplicity with defaults
auth('x509');

Alternatives and current work-arounds

This package already allows for passing in a public key as a param (I think), or providing a custom getToken handler. However, given the name of the package, I would expect to be able to use other import methods, besides JWKS without having to implement them myself.

Additional information, if any

I'm happy to write this up and submit a PR for review, I just wanted to check with the maintainers for their thoughts and/or blessings, before I do so.

Problem: Passing configuration values inline to the auth middleware, the values are not passed into the openid strategy constructor. This causes the library to throw Error: issuerBaseURL is required.

This code:

const handler = auth({
      issuerBaseURL: `https://${domain}`,
      allowedAudiences: audience,
    });

Throws an error at:

This line should pass the params down to the contructor:

i'm using npm version 0.4.0 and get error when passing params to auth method. So i checked master branch and params are initialized there

MASTER
index.js

if(!params.strategy) {
    params.strategy = openid(params);
  }

NPM VERSION
index.js

if(!params.strategy) {
    params.strategy = openid() // missing param object;
  }

please renew npm version

Describe the problem you'd like to have solved

I have a situation using express router where I want the GET commands of say 3 out of 20 endpoints to not check the access token. Currently there doesn't seem to be this sort of white list feature

Describe the ideal solution

I could pass a list of "public" paths that will be ignored by the authentication header check.

Alternatives and current work-arounds

Add the express-oauth2-bearer library once for each router

Checklist

• I have looked into the Readme and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Problem:
WebSocket connections are becoming increasingly important in modern web applications, particularly for real-time communication. Currently, the express-oauth2-bearer library is designed primarily for validating OAuth 2.0 access tokens in Express.js HTTP routes. However, it lacks support for WebSocket connections.

Use Case:
Modern web applications often require both HTTP and WebSocket protocols for various functionalities. Integrating OAuth 2.0 authentication seamlessly with WebSocket connections would simplify the authentication process for applications that use both protocols.

Describe the ideal solution

Ideal Solution:
The ideal solution is to extend the functionality of the express-oauth2-bearer library to support WebSocket middleware. This extension should provide a similar level of ease and security for OAuth 2.0 authentication in WebSocket connections as it currently does for HTTP routes. It should include middleware for WebSocket handshake validation and token decoding.

Alternatives and current workarounds

Alternatives and Workarounds:
Currently, users have to manually handle token validation and decoding for WebSocket connections, as the express-oauth2-bearer library is primarily designed for HTTP routes. While this manual approach works, it is less convenient and maintainable than having built-in support within the library. An alternative would be to use separate OAuth 2.0 authentication solutions for WebSocket connections, which can lead to duplicated code and increased complexity.

Additional context

WebSocket connections and HTTP requests have different characteristics, so implementing WebSocket support within the library might require adjustments or new APIs to handle WebSocket authentication seamlessly.
This feature request aims to enhance the library's versatility and usefulness in modern web application development, where a unified authentication approach across different protocols can simplify development and improve security.
Providing support for WebSocket middleware would align with the evolving needs of web applications that increasingly rely on real-time features and OAuth 2.0 authentication.
Is this feature request related to a problem? Please describe.

Yes, this feature request is related to the need for consistent and secure OAuth 2.0 authentication across both HTTP and WebSocket connections in modern web applications.