google auth library node js: unpacking contents of token - google-auth-library-nodejs

Some google service is sending the program an Authorisation JWT token in the header of a request. Using the Google Auth Library (https://github.com/googleapis/google-auth-library-nodejs), how can I unpack the package to retrieve a field of the token? Thanks

I found making a request to: https://oauth2.googleapis.com/tokeninfo?id_token= and passing the token returns the json.

Related

Unauthorised error from getProfile when using node-auth0

I am trying to migrate authentication via auth0 from a jvm based solution which uses auth0 rest api to a node based solution using node-auth0.
At present its a 2 step process:
Get token via POST /oauth/token
Get user profile via /userInfo
In the node application, I am constructing AuthenticationClient while providing clientId, clientSecret and domain as AuthenticationClientOptions and able to get the token successfully using passwordGrant but when I use the same authenticationClient object to call getProfile while providing the token obtained from passwordGrant, I get this error:
Request failed with status code 401
What’s confusing is that in Auth0 dashboard, this request is successful.
I am using node-auth0 SDK Version: 2.42.0 on Node 15.14.0
The token obtained via passwordGrant will be processed to respond for userInfo. Hence, the token must have in its audience claim <your-auth0-domain>/userInfo.

I always get invalid signature when I input the generated token in jwt

I am trying to use the Opentok REST API with JWT to generate a video session token. I am using the following credentials to create the JWT following the JSONWebToken documentation at https://github.com/kylef/JSONWebToken.swift. I have used the generated token for authorisation ..

Verify the Firebase authentication token of a user's request on an Google App Engine NodeJS server?

So I've found this piece of doc on how to integrate Firebase authentication with Google App Engine, but it was written for Python, and it seems old, as I've found some inconsistencies in the code. I didn't find a corresponding tutorial for NodeJS.
From I understood, the sequence of the process should be the following:
STEP 1
User logs in through client code (firebase JS SDK) and I get its JWT userIdToken by using user.getIdToken()
STEP 2
Fetch my GAE server URL with the following header:
headers: {
'Authorization': 'Bearer ' + userIdToken
}
Then the tutorial indicates that I should use a Google Auth library, in order to validate the JWT userIdToken.
Before the client can access server data, your server must verify the token is signed by Firebase. You can verify this token using the Google Authentication Library for Python. Use the authentication library's verify_firebase_token function to verify the bearer token and extract the claims:
Therefore, for a NodeJS server, I should use the following library, correct?
google-auth-library
Or instead, can I use firebase-admin to validate the userIdToken as indicated in the following doc?
https://firebase.google.com/docs/auth/admin/verify-id-tokens
I guess that the firebase-admin seems to be the way to go on this case. But if I choose that path, should I still pass the token using the 'Authorization': 'Bearer ' header? Or is there a better way of handling this?
You can pass the ID token to your backend any way you want. It's customary and standard to use the Authorization header as you see in the documentation, but not required. The code examples should make it clear that what you really just need is to pass that token to be verified with the Firebase Admin SDK.

authentication header vs query parameter in google cloud endpoints

I have tried everything, yet I cannot access my API using google cloud endpoints using a Authentication:Bearer header. According to Cloud Endpoints Docs:
When you send a request using an authentication token, for security reasons, we recommend that you put the token in the Authorization:Bearer header.
it also says:
If you cannot use the header when sending the request, you can put the authentication token in a query parameter called access_token.
I can perfectly access the API using access_token=" +idToken in my URL. However, when I try to send an HTTP request with the Authentication header like this:
const url =
"https://<PROJECTNAME>.appspot.com/getbalance";
axios
.get(url,{headers:{'Authentication':'Bearer '+idToken}})
.then(response => {
console.log(response.data);
})
.catch(error => {
console.log(error);
});
I get this error:
JWT validation failed: Missing or invalid credentials
Is sending the token in a query parameter as safe as sending it in the header?
Your code example shows you setting an Authentication header, not an Authorization header. You should not typically use a query parameter as it will likely get logged in Cloud Console.
When using "Authorization: Bearer ", you would need to use an access token obtained through OAuth 2.0 authentication.
This can be illustrated if you use the Oauth Playground agains any of the Google APIs.
Keep in mind that if you want to access your Firebase database using the Oauth Playground, you would need to configure the client ID and client Secret of your Firebase project on the gear icon at the top right of the playground screen.
Also make sure to use these scopes:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/firebase.database
After completing all the steps, you will be able to make a REST request using the authorization header with the obtained access token.

Nodejs - ADAL package issue

I am using adal-node package in my Nodejs app for authenticating against Azure AD.
URL: https://www.npmjs.org/package/adal-node
I am using acquireTokenWithAuthorizationCode method to get the token and it works fine.
When my auth code expires, I want to refresh my token using the below.
authenticationContext.acquireTokenWithRefreshToken(_tokenData.refreshToken, authdata.clientId, authdata.resource, callback).
But when I run this code, its giving me the below error.
"Get Token request returned http error: 400 and server response: {"error":"invalid_request","error_description":"AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'
The method will not accept client secret as its argument, but still it complains that it needs a client secret.
Can you please help?
Thanks
Anil
Unfortunately, the library does not support your scenario right now. The function acquireTokenWithRefreshToken that you are using was intended for OAuth public clients that don't require a client secret, but your app is an OAuth confidential client which does.
I have filed the following issue in the GitHub repo to track the need to add a new method that would support your scenario.
https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/issues/22

Resources