SlideShare a Scribd company logo

Authenticating and Securing Node.js APIs

Download as PPTX, PDF
J
Jimmy Guerrero

The document discusses various topics related to implementing authentication and authorization in LoopBack applications. It covers setting up SSL, configuring OAuth2, adding third-party login support using Passport strategies, defining roles and ACLs, and deploying LoopBack apps for microservices and hyper-scale.

Software
Related topics:
Node.js Development
1 of 29
Downloaded 103 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Shubhra Kar | Products & Education twitter:@shubhrakar {“Node.js”: “APIs @hyperscale”}
SSL – Setup in Loopback.io $ openssl genrsa -out privatekey.pem 1024 $ openssl req -new -key privatekey.pem -out certrequest.csr $ openssl x509 -req -in certrequest.csr -signkey privatekey.pem -out certificate.pem var path = require('path'), fs = require("fs"); exports.privateKey = fs.readFileSync(path.join(__dirname, './private/privatekey.pem')).toString(); exports.certificate = fs.readFileSync(path.join(__dirname, './private/certificate.pem')).toString();
SSL – App Usage in Loopback.io var https = require('https'); var sslConfig = require('./ssl-config'); ... var options = { key: sslConfig.privateKey, cert: sslConfig.certificate }; … server.listen(app.get('port'), function() { var baseUrl = (httpOnly? 'http://' : 'https://') + app.get('host') + ':' + app.get('port'); app.emit('started', baseUrl); console.log('LoopBack server listening @ %s%s', baseUrl, '/'); }); return server;
ACL in Loopback.io READ: exists - Boolean method that determines whether a user exists. findById - Find a user by ID. find - Find all users that match specified conditions. findOne - Finds a single user instance that matches specified conditions. count - Returns the number of users that match the specified conditions. WRITE: create - create a new user. updateAttributes (update) - update a user record. upsert (update or insert) - update or insert a new user record. destroyById (equivalent to removeById or deleteById) - delete the user with the specified ID. For other methods, the default access type is EXECUTE; for example, a custom method maps to the EXECUTE access type.
Full Stack (MEAN App Angular frontend)
Full Stack (Loopback backend API)
Full Stack (Loopback backend API Authorization)
Static Roles in Loopback.io User.create([ {username: 'John', email: 'john@doe.com', password: 'opensesame'}, {username: 'Jane', email: 'jane@doe.com', password: 'opensesame'}, {username: 'Bob', email: 'bob@projects.com', password: 'opensesame'} ], function(err, users) { if (err) return cb(err); //create the admin role Role.create({ name: 'admin' }, function(err, role) { if (err) cb(err); //make bob an admin role.principals.create({ principalType: RoleMapping.USER, principalId: users[2].id }, function(err, principal) { cb(err); }); }); });
Mapping Roles to ACLs { "accessType": "EXECUTE", "principalType": "ROLE", "principalId": "admin", "permission": "ALLOW", "property": "find" }
Built in dynamic roles in Loopback.io
Built in dynamic roles in Loopback.io module.exports = function(app) { var Role = app.models.Role; Role.registerResolver('teamMember', function(role, context, cb) { function reject(err) { if(err) { return cb(err); } cb(null, false); } if (context.modelName !== 'project') { // the target model is not project return reject(); } var userId = context.accessToken.userId; if (!userId) { return reject(); // do not allow anonymous users }
Built in dynamic roles in Loopback.io // check if userId is in team table for the given project id context.model.findById(context.modelId, function(err, project) { if(err || !project) { reject(err); } var Team = app.models.Team; Team.count({ ownerId: project.ownerId, memberId: userId }, function(err, count) { if (err) { return reject(err); } cb(null, count > 0); // true = is a team member }); }); }); };
Mapping Dynamic Role to ACLs. { "accessType": "READ", "principalType": "ROLE", "principalId": "teamMember", "permission": "ALLOW", "property": "findById" }
OAuth2.0 and JWT in Loopback.io
Setup – OAuth 2.0 in Loopback.io npm install loopback-component-oauth2
Configuration – OAuth2.0 in Loopback.io var oauth2 = require('loopback-component-oauth2'); var options = { dataSource: app.dataSources.db, // Data source for oAuth2 metadata persistence loginPage: '/login', // The login page URL loginPath: '/login' // The login form processing URL }; oauth2.oAuth2Provider( app, // The app instance options // The options ); oauth2.authenticate(['/protected', '/api', '/me'], {session: false, scope: 'email'})
Authenticating and Securing Node.js APIs
3rd Party Logins using Passport strategies
Setup of passport component in Loopback.io npm install loopback-component-passport
Config – Facebook Authentication in Loopback.io { "facebook-login": { "provider": "facebook", "module": "passport-facebook", "clientID": "{facebook-client-id-1}", "clientSecret": "{facebook-client-secret-1}", "callbackURL": "http://localhost:3000/auth/facebook /callback", "authPath": "/auth/facebook", "callbackPath": "/auth/facebook/callback", "successRedirect": "/auth/account", "scope": ["email"] }
Config – Google Authentication in Loopback.io { "google-link": { "provider": "google", "module": "passport-google-oauth", "strategy": "OAuth2Strategy", "clientID": "{google-client-id-2}", "clientSecret": "{google-client-secret-2}", "callbackURL": "http://localhost:3000/link/google/ callback", "authPath": "/link/google", "callbackPath": "/link/google/callback", "successRedirect": "/link/account", "scope": ["email", "profile"], "link": true }
Config – MS AD Authentication in Loopback.io { "ms-ad": { "provider": "ms-ad", "authScheme":"ldap", "module": "passport-ldapauth", "authPath": "/auth/msad", "successRedirect": "/auth/account", "failureRedirect": "/msad", "failureFlash": true, "session": true, "LdapAttributeForLogin": "mail", "LdapAttributeForUsername": "mail", "LdapAttributeForMail": "mail", "server":{ "url": "ldap://ldap.example.org:389/dc=example,dc=org", "bindDn": "bindUsername", "bindCredentials": "bindPassword", "searchBase": "ou=people,dc=example,dc=org", "searchAttributes": ["cn", "mail", "uid", "givenname"], "searchFilter": "(&(objectcategory=person)(objectclass=user)(|(s amaccountname={{username}})(mail={{username}})))" } }
Application Level passport configurator in Loopback // Create an instance of PassportConfigurator with the app instance var PassportConfigurator = require('loopback-component- passport').PassportConfigurator; var passportConfigurator = new PassportConfigurator(app); app.boot(__dirname); ... // Enable http session app.use(loopback.session({ secret: 'keyboard cat' })); // Load the provider configurations var config = {}; try { config = require('./providers.json'); } catch(err) { console.error('Please configure your passport strategy in `providers.json`.'); console.error('Copy `providers.json.template` to `providers.json` and replace the clientID/clientSecret values with your own.'); process.exit(1); }
Application Level using Passport configurator // Initialize passport passportConfigurator.init(); // Set up related models passportConfigurator.setupModels({ userModel: app.models.user, userIdentityModel: app.models.userIdentity, userCredentialModel: app.models.userCredential }); // Configure passport strategies for third party auth providers for(var s in config) { var c = config[s]; c.session = c.session !== false; passportConfigurator.configureProvider(s, c); }
Synchronous API “Re-Composition” is an anti-pattern
Security & Social Logins Loopback async API Gateway*
Authenticating and Securing Node.js APIs
Micro services scaling
Hyper-scale & Micro-services Deployment

More Related Content

PDF
StrongLoop Node.js API Security & Customization
jguerrero999
 
PDF
Loopback presentation by tineco
Stéphane Guilly
 
PPTX
Working with LoopBack Models
Raymond Feng
 
PDF
Picking the Right Node.js Framework for Your Use Case
Jimmy Guerrero
 
ODP
Codegnitorppt
sreedath c g
 
KEY
An Introduction to webOS
Kevin Decker
 
PDF
Microservices with Spring Boot
Joshua Long
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
StrongLoop Node.js API Security & Customization
jguerrero999
 
Loopback presentation by tineco
Stéphane Guilly
 
Working with LoopBack Models
Raymond Feng
 
Picking the Right Node.js Framework for Your Use Case
Jimmy Guerrero
 
Codegnitorppt
sreedath c g
 
An Introduction to webOS
Kevin Decker
 
Microservices with Spring Boot
Joshua Long
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 

What's hot (20)

PDF
Modular Test-driven SPAs with Spring and AngularJS
Gunnar Hillert
 
PDF
Serverless - Developers.IO 2019
Shuji Watanabe
 
PPTX
Apex & jQuery Mobile
Christian Rokitta
 
PDF
Spout
Richard McIntyre
 
PDF
Do you want a SDK with that API? (Nordic APIS April 2014)
Nordic APIs
 
PDF
Building Progressive Web Apps for Android and iOS
FITC
 
PDF
Angular vs React for Web Application Development
FITC
 
PDF
Local Authentication par Pierre-Alban Toth
CocoaHeads France
 
PPTX
Javascript first-class citizenery
toddbr
 
PDF
Progressive Web Apps
FITC
 
PPT
You Know WebOS
360|Conferences
 
PDF
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...
Caldera Labs
 
KEY
【前端Mvc】之豆瓣说实践
taobao.com
 
PDF
Angular JS blog tutorial
Claude Tech
 
PDF
Google Cloud Endpointsによる API構築
Keiji Ariyama
 
PDF
Chrome enchanted 2015
Chang W. Doh
 
PDF
Instant and offline apps with Service Worker
Chang W. Doh
 
KEY
Mobile HTML, CSS, and JavaScript
franksvalli
 
PPT
Managing JavaScript Dependencies With RequireJS
Den Odell
 
PPTX
Plugins unplugged
Christian Rokitta
 
Modular Test-driven SPAs with Spring and AngularJS
Gunnar Hillert
 
Serverless - Developers.IO 2019
Shuji Watanabe
 
Apex & jQuery Mobile
Christian Rokitta
 
Spout
Richard McIntyre
 
Do you want a SDK with that API? (Nordic APIS April 2014)
Nordic APIs
 
Building Progressive Web Apps for Android and iOS
FITC
 
Angular vs React for Web Application Development
FITC
 
Local Authentication par Pierre-Alban Toth
CocoaHeads France
 
Javascript first-class citizenery
toddbr
 
Progressive Web Apps
FITC
 
You Know WebOS
360|Conferences
 
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...
Caldera Labs
 
【前端Mvc】之豆瓣说实践
taobao.com
 
Angular JS blog tutorial
Claude Tech
 
Google Cloud Endpointsによる API構築
Keiji Ariyama
 
Chrome enchanted 2015
Chang W. Doh
 
Instant and offline apps with Service Worker
Chang W. Doh
 
Mobile HTML, CSS, and JavaScript
franksvalli
 
Managing JavaScript Dependencies With RequireJS
Den Odell
 
Plugins unplugged
Christian Rokitta
 
Ad

Viewers also liked (10)

PPTX
Building a Node.js API backend with LoopBack in 5 Minutes
Raymond Feng
 
PDF
Gotta Persist 'Em All: Realm as Replacement for SQLite
Siena Aguayo
 
PDF
Rapid API Development with LoopBack/StrongLoop
Raymond Camden
 
PPTX
Loopback
NetProtocol Xpert
 
PDF
LoopBack: a productivity booster for MEAN
Miroslav Bajtoš
 
PDF
Node.js Frameworks & Design Patterns Webinar
Shubhra Kar
 
PDF
Toronto node js_meetup
Shubhra Kar
 
PDF
2015 Upload Campaigns Calendar - SlideShare
SlideShare
 
PPTX
What to Upload to SlideShare
SlideShare
 
PDF
Getting Started With SlideShare
SlideShare
 
Building a Node.js API backend with LoopBack in 5 Minutes
Raymond Feng
 
Gotta Persist 'Em All: Realm as Replacement for SQLite
Siena Aguayo
 
Rapid API Development with LoopBack/StrongLoop
Raymond Camden
 
Loopback
NetProtocol Xpert
 
LoopBack: a productivity booster for MEAN
Miroslav Bajtoš
 
Node.js Frameworks & Design Patterns Webinar
Shubhra Kar
 
Toronto node js_meetup
Shubhra Kar
 
2015 Upload Campaigns Calendar - SlideShare
SlideShare
 
What to Upload to SlideShare
SlideShare
 
Getting Started With SlideShare
SlideShare
 
Ad

Similar to Authenticating and Securing Node.js APIs (20)

PDF
前端MVC 豆瓣说
Ting Lv
 
PPTX
Angular Workshop_Sarajevo2
Christoffer Noring
 
PDF
Mashing up JavaScript
Bastian Hofmann
 
PDF
Mashing up JavaScript – Advanced Techniques for modern Web Apps
Bastian Hofmann
 
PDF
How to build an AngularJS backend-ready app WITHOUT BACKEND
Enrique Oriol Bermúdez
 
PDF
Building Persona: federated and privacy-sensitive identity for the Web (Open ...
Francois Marier
 
PDF
Passwords suck, but centralized proprietary services are not the answer
Francois Marier
 
PDF
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2...
Francois Marier
 
PDF
Doctrine For Beginners
Jonathan Wage
 
PDF
Virtual Madness @ Etsy
Nishan Subedi
 
PDF
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
PDF
node.js practical guide to serverside javascript
Eldar Djafarov
 
PPTX
What mom never told you about bundle configurations - Symfony Live Paris 2012
D
 
PDF
Persona: in your browsers, killing your passwords
Francois Marier
 
PDF
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
Grossum Software Outsourcing
 
PDF
Keep It Simple Security (Symfony cafe 28-01-2016)
Oleg Zinchenko
 
PDF
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
Grossum
 
PDF
The Web beyond "usernames & passwords" (OSDC12)
Francois Marier
 
PPTX
Express JS
Alok Guha
 
PDF
Bonnes pratiques de développement avec Node js
Francois Zaninotto
 
前端MVC 豆瓣说
Ting Lv
 
Angular Workshop_Sarajevo2
Christoffer Noring
 
Mashing up JavaScript
Bastian Hofmann
 
Mashing up JavaScript – Advanced Techniques for modern Web Apps
Bastian Hofmann
 
How to build an AngularJS backend-ready app WITHOUT BACKEND
Enrique Oriol Bermúdez
 
Building Persona: federated and privacy-sensitive identity for the Web (Open ...
Francois Marier
 
Passwords suck, but centralized proprietary services are not the answer
Francois Marier
 
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2...
Francois Marier
 
Doctrine For Beginners
Jonathan Wage
 
Virtual Madness @ Etsy
Nishan Subedi
 
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
node.js practical guide to serverside javascript
Eldar Djafarov
 
What mom never told you about bundle configurations - Symfony Live Paris 2012
D
 
Persona: in your browsers, killing your passwords
Francois Marier
 
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
Grossum Software Outsourcing
 
Keep It Simple Security (Symfony cafe 28-01-2016)
Oleg Zinchenko
 
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
Grossum
 
The Web beyond "usernames & passwords" (OSDC12)
Francois Marier
 
Express JS
Alok Guha
 
Bonnes pratiques de développement avec Node js
Francois Zaninotto
 

Recently uploaded (20)

PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Introduction Database Management System for Course Database
ReinertYosua
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Introduction to Artificial Intelligence
lohedi9363
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
System and Network Administraation Chapter 3
jaramharo
 

Authenticating and Securing Node.js APIs

  • 1. Shubhra Kar | Products & Education twitter:@shubhrakar {“Node.js”: “APIs @hyperscale”}
  • 2. SSL – Setup in Loopback.io $ openssl genrsa -out privatekey.pem 1024 $ openssl req -new -key privatekey.pem -out certrequest.csr $ openssl x509 -req -in certrequest.csr -signkey privatekey.pem -out certificate.pem var path = require('path'), fs = require("fs"); exports.privateKey = fs.readFileSync(path.join(__dirname, './private/privatekey.pem')).toString(); exports.certificate = fs.readFileSync(path.join(__dirname, './private/certificate.pem')).toString();
  • 3. SSL – App Usage in Loopback.io var https = require('https'); var sslConfig = require('./ssl-config'); ... var options = { key: sslConfig.privateKey, cert: sslConfig.certificate }; … server.listen(app.get('port'), function() { var baseUrl = (httpOnly? 'http://' : 'https://') + app.get('host') + ':' + app.get('port'); app.emit('started', baseUrl); console.log('LoopBack server listening @ %s%s', baseUrl, '/'); }); return server;
  • 4. ACL in Loopback.io READ: exists - Boolean method that determines whether a user exists. findById - Find a user by ID. find - Find all users that match specified conditions. findOne - Finds a single user instance that matches specified conditions. count - Returns the number of users that match the specified conditions. WRITE: create - create a new user. updateAttributes (update) - update a user record. upsert (update or insert) - update or insert a new user record. destroyById (equivalent to removeById or deleteById) - delete the user with the specified ID. For other methods, the default access type is EXECUTE; for example, a custom method maps to the EXECUTE access type.
  • 5. Full Stack (MEAN App Angular frontend)
  • 6. Full Stack (Loopback backend API)
  • 7. Full Stack (Loopback backend API Authorization)
  • 8. Static Roles in Loopback.io User.create([ {username: 'John', email: 'john@doe.com', password: 'opensesame'}, {username: 'Jane', email: 'jane@doe.com', password: 'opensesame'}, {username: 'Bob', email: 'bob@projects.com', password: 'opensesame'} ], function(err, users) { if (err) return cb(err); //create the admin role Role.create({ name: 'admin' }, function(err, role) { if (err) cb(err); //make bob an admin role.principals.create({ principalType: RoleMapping.USER, principalId: users[2].id }, function(err, principal) { cb(err); }); }); });
  • 9. Mapping Roles to ACLs { "accessType": "EXECUTE", "principalType": "ROLE", "principalId": "admin", "permission": "ALLOW", "property": "find" }
  • 10. Built in dynamic roles in Loopback.io
  • 11. Built in dynamic roles in Loopback.io module.exports = function(app) { var Role = app.models.Role; Role.registerResolver('teamMember', function(role, context, cb) { function reject(err) { if(err) { return cb(err); } cb(null, false); } if (context.modelName !== 'project') { // the target model is not project return reject(); } var userId = context.accessToken.userId; if (!userId) { return reject(); // do not allow anonymous users }
  • 12. Built in dynamic roles in Loopback.io // check if userId is in team table for the given project id context.model.findById(context.modelId, function(err, project) { if(err || !project) { reject(err); } var Team = app.models.Team; Team.count({ ownerId: project.ownerId, memberId: userId }, function(err, count) { if (err) { return reject(err); } cb(null, count > 0); // true = is a team member }); }); }); };
  • 13. Mapping Dynamic Role to ACLs. { "accessType": "READ", "principalType": "ROLE", "principalId": "teamMember", "permission": "ALLOW", "property": "findById" }
  • 14. OAuth2.0 and JWT in Loopback.io
  • 15. Setup – OAuth 2.0 in Loopback.io npm install loopback-component-oauth2
  • 16. Configuration – OAuth2.0 in Loopback.io var oauth2 = require('loopback-component-oauth2'); var options = { dataSource: app.dataSources.db, // Data source for oAuth2 metadata persistence loginPage: '/login', // The login page URL loginPath: '/login' // The login form processing URL }; oauth2.oAuth2Provider( app, // The app instance options // The options ); oauth2.authenticate(['/protected', '/api', '/me'], {session: false, scope: 'email'})
  • 18. 3rd Party Logins using Passport strategies
  • 19. Setup of passport component in Loopback.io npm install loopback-component-passport
  • 20. Config – Facebook Authentication in Loopback.io { "facebook-login": { "provider": "facebook", "module": "passport-facebook", "clientID": "{facebook-client-id-1}", "clientSecret": "{facebook-client-secret-1}", "callbackURL": "http://localhost:3000/auth/facebook /callback", "authPath": "/auth/facebook", "callbackPath": "/auth/facebook/callback", "successRedirect": "/auth/account", "scope": ["email"] }
  • 21. Config – Google Authentication in Loopback.io { "google-link": { "provider": "google", "module": "passport-google-oauth", "strategy": "OAuth2Strategy", "clientID": "{google-client-id-2}", "clientSecret": "{google-client-secret-2}", "callbackURL": "http://localhost:3000/link/google/ callback", "authPath": "/link/google", "callbackPath": "/link/google/callback", "successRedirect": "/link/account", "scope": ["email", "profile"], "link": true }
  • 22. Config – MS AD Authentication in Loopback.io { "ms-ad": { "provider": "ms-ad", "authScheme":"ldap", "module": "passport-ldapauth", "authPath": "/auth/msad", "successRedirect": "/auth/account", "failureRedirect": "/msad", "failureFlash": true, "session": true, "LdapAttributeForLogin": "mail", "LdapAttributeForUsername": "mail", "LdapAttributeForMail": "mail", "server":{ "url": "ldap://ldap.example.org:389/dc=example,dc=org", "bindDn": "bindUsername", "bindCredentials": "bindPassword", "searchBase": "ou=people,dc=example,dc=org", "searchAttributes": ["cn", "mail", "uid", "givenname"], "searchFilter": "(&(objectcategory=person)(objectclass=user)(|(s amaccountname={{username}})(mail={{username}})))" } }
  • 23. Application Level passport configurator in Loopback // Create an instance of PassportConfigurator with the app instance var PassportConfigurator = require('loopback-component- passport').PassportConfigurator; var passportConfigurator = new PassportConfigurator(app); app.boot(__dirname); ... // Enable http session app.use(loopback.session({ secret: 'keyboard cat' })); // Load the provider configurations var config = {}; try { config = require('./providers.json'); } catch(err) { console.error('Please configure your passport strategy in `providers.json`.'); console.error('Copy `providers.json.template` to `providers.json` and replace the clientID/clientSecret values with your own.'); process.exit(1); }
  • 24. Application Level using Passport configurator // Initialize passport passportConfigurator.init(); // Set up related models passportConfigurator.setupModels({ userModel: app.models.user, userIdentityModel: app.models.userIdentity, userCredentialModel: app.models.userCredential }); // Configure passport strategies for third party auth providers for(var s in config) { var c = config[s]; c.session = c.session !== false; passportConfigurator.configureProvider(s, c); }
  • 26. Security & Social Logins Loopback async API Gateway*