How to setup OAuth 2.0 server using loopback.io - node.js

I have set up OAuth as per the docs and this link https://strongloop.com/strongblog/node-js-loopback-api-gateway-sample-applications/.
There are a few issues in understanding the usage of the code base and flow based on the options of loopback-component-oauth2. Is there a tutorial that covers each section or a working implementation for Implict, AuthorizationCode, Refresh token, JWT.
I have been able to secure API (eg: /api/Notes) as per docs and it does seem to be blocking requests but is not allowing me to authenticate. More, when I make a request to /oauth/token this API is also throwing Unauthorized 401 errors - both from REST Client like postman and https://loopbacklocalhost/explorer.
I am using loopback 3.0. I am having tough time with the component not documented completely nor having a doc aligned example code. May be I am missing something here.
I have seen this hub repo as well and seems they use passport directly and is documented very less making it difficult to integrate things easily.
https://github.com/strongloop/microgateway
Note: I have gone through the following question, the archive repo tests.
How to setup OAuth 2.0 server using loopback
Any help is welcome.

Related

Getting Users API access in nodejs AppEngine environment with Identity Aware Proxy

I have a nodejs app deployed on AppEngine with IAP enabled, so right now access to its endpoints is protected against users outside of the project's IAM and I get the "x-goog-authenticated-user-id", "x-goog-authenticated-user-email" and another jwt assertion x-goog signed header, just like it should be (as detailed here https://cloud.google.com/iap/docs/identity-howto).
In certain AppEngine environments (so far Python, Java, Go) it seems you are able to use some already provided libraries to get more information about the user with Users API, however the nodejs page is disabled (here https://cloud.google.com/appengine/docs/standard/python/users/), there seems to be no indication of what should be done there. Any ideas?
If there is no straight forward way around it would I be able to have an app engine environment that also exposes for example the Python libraries for Users API so that I can wrap around them and use them in my nodejs app?
The Users API isn't supported for Node.js. Instead, you can get the identity from the x-goog-iap-jwt-assertion header.
We don't currently have a code sample for Node.js, though this looks like one reasonable approach. (Disclaimer: I'm not a Node user, and don't know enough about Node JWT libraries to endorse any of them in particular.)
Update for the current state:
There is currently a
Identity-Aware Proxy Documentation for Node JS.

How does openAM handle an authentication request?

I started studying openAM recently and need to go deep into its infrastructure.
I have learned that openAM provides some authentication APIs such as
Post: http://mywebsite/openam/json/authenticate
headers: X-OpenAM-Username:xxx , X-OpenAM-Password:xxx
Basically I want to learn more about how openAM handles such a request, where is the controller? how does it validate the username and password? Can anyone give a hint where to start in openAM's source ?
If you have the privilege of having access to the OpenAM/AM source code, then you could start to look at AuthenticationServiceV1 and the various RESTAuth*CallbackHandler classes to get a closer look at the REST side of things.
If you are interested in the authentication framework in its all glory, then AMLoginContext, AuthContext, LoginState and AMLoginModule are the classes you should take a look at.
Please read OpenAM 13 Developer's Guide - Using the REST API at first.
If you want to know the implementation and behaviour of REST API, please check the OpenAM debug logs, read source code of OpenAM REST Services and attach a debugger by using IDE.
you can get token value after posting below REST API
Post: http://mywebsite/openam/json/authenticate
headers: X-OpenAM-Username:xxx , X-OpenAM-Password:xxx
After that a list of List of REST API provided by openAM
you need to add header value for every request
"iplanetDirectoryPro" = "Received token value"

Difference between logging in into salesforce sandbox with and without consuming wsdl?

I am very new to Salesforce and it's API.
I am having a sandbox org and with it I have url, username, password, security token and last but not the least partner.wsdl
My aim was to connect and retrieve/create data.
Technologies at hand was nodejs
So here is how I started.
I searched over the internet and came to know that I need to create a client, SOAP client in order to login, create the connection and use that connection to create and access the Leads data.So I followed this sample where the wsdl was being consumed.
So I was able to connect
I was very happy on this success and then suddenly I wasn't able to identify/find a way where I can get the sObject.I looked hard for this but no luck. So posted a question on SO
Meanwhile I also looked for other node module and found jsforce
I used jsforce starting guide and created a client that was connecting to salesforce however without using the wsdl file.
Again I was happy, even more happy because I was having the sObject with me.
Now, what is the fundamental difference if I login using the local wsdl file and without wsdl file in the language of salesforce. Which one is the correct way of logging in?
Sorry if this question is not according to SO rules or if there is a typo.
I'm the author of jsforce you mentioned.
In that lib we use REST API mostly and SOAP APIs are only used in some specific calls like login or metadata. Even in such calls we don't use WSDLs because there's no good lib to generate client modules from WSDL in JavaScript/Node.js area. Instead we wrote modules for each APIs which generate SOAP XML strings and parse the response XML.
It is enough because these API message schema are static and fiesible in the specific version, unlike SOAP API Enterprise WSDL differs in organizations. So we can hard code the client module directly w/o generate it from WSDL.

authentication with a third party provider

I'm developing an api server in (NodeJs/ hapi) coupled with an android application.
I'm having a problem understanding how to do login via a third party like google and facebook.
So far my strategy is:
authorize my app(android)
get the email and other data from google/facebook(android)
Send email and data to my server and save it in a database(server)
Next time when authentication. I'll just check the same data(from google) against the save data(my server).
I'm pretty sure there is a better way to do it, but the documentation I have read so far leave me with a head ache.
Help is appreciated.
I just setup a demo project using ExpressJS.
It would be interesting to have a fork for Hapi.
Check it out if want: http://git.io/RHnjBg

Dynamics CRM Online + Node.js (request runns forever /hangs)

I tried to develop a node.js module that allows the use of the SOAP web service of CRM Online: XrmNodeKit
The code based on the JavaScript code provided by Jason Lattimer
So far I was able the retrieve the auth-token but when I execute the WhoAmI requst the web-service call just runs forever (see test "should fetch the name of the current user", no error is thrown....
You can find the source-code on github
Has anyone tried to consume the SOAP web-services via Node.js?
Have you found this post?http://www.alexanderdevelopment.net/post/2015/01/24/authenticating-from-a-node-js-client-to-dynamics-crm-via-ad-fs-and-oauth2/
I understand this is the correct approach. You need to use OAuth.
But it is not correct in one regard (I'm quoting an expert from the CRM product team)
He says "You cannot move the node.js code to client, since in this case you need to use the Implicit flow rather than the Authorization code flow , Finally after getting the OAuth token, you still cannot send it to our Web services from the client since [CRM Online] does not support CORS in 2013/2015"
While this is a .NET sample it covers the principles, just have to make it work with Node.js: https://bitbucket.org/Georged/caseowary/overview (credits to George Doubinski)

Resources