Skip to main content

The OAuth2 auth provider

This component contains an out of the box OAuth2 implementation.

To use this project, add the following dependency to the dependencies section of your build descriptor:

  • Maven (in your pom.xml):

<dependency>
  <groupId>io.vertx</groupId>
  <artifactId>vertx-auth-oauth2</artifactId>
  <version>3.4.1</version>
</dependency>
  • Gradle (in your build.gradle file):

compile 'io.vertx:vertx-auth-oauth2:3.4.1'

OAuth2 lets users grant the access to the desired resources to third party applications, giving them the possibility to enable and disable those accesses whenever they want.

Vert.x OAuth2 supports the following flows.

  • Authorization Code Flow (for apps with servers that can store persistent information).

  • Password Credentials Flow (when previous flow can’t be used or during development).

  • Client Credentials Flow (the client can request an access token using only its client credentials)

Authorization Code Flow

The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. As a redirection-based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.

For more details see Oauth2 specification, section 4.1.

Password Credentials Flow

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type, and only allow it when other flows are not viable.

The grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

For more details see Oauth2 specification, section 4.3.

Client Credentials Flow

The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

The client credentials grant type MUST only be used by confidential clients.

For more details see Oauth2 specification, section 4.4.

Extensions

The provider supports RFC7523 an extension to allow server to server authorization based on JWT.

Getting Started

An example on how to use this provider and authenticate with GitHub can be implemented as:

var OAuth2Auth = require("vertx-auth-oauth2-js/o_auth2_auth");

var oauth2 = OAuth2Auth.create(vertx, 'AUTH_CODE', {
  "clientID" : "YOUR_CLIENT_ID",
  "clientSecret" : "YOUR_CLIENT_SECRET",
  "site" : "https://github.com/login",
  "tokenPath" : "/oauth/access_token",
  "authorizationPath" : "/oauth/authorize"
});

// when there is a need to access a protected resource or call a protected method,
// call the authZ url for a challenge

var authorization_uri = oauth2.authorizeURL({
  "redirect_uri" : "http://localhost:8080/callback",
  "scope" : "notifications",
  "state" : "3(#0/!~"
});

// when working with web application use the above string as a redirect url

// in this case GitHub will call you back in the callback uri one should now complete the handshake as:


var code = "xxxxxxxxxxxxxxxxxxxxxxxx";

oauth2.getToken({
  "code" : code,
  "redirect_uri" : "http://localhost:8080/callback"
}, function (res, res_err) {
  if (res_err != null) {
    // error, the code provided is not valid
  } else {
    // save the token and continue...
  }
});

Authorization Code flow

The Authorization Code flow is made up from two parts. At first your application asks to the user the permission to access their data. If the user approves the OAuth2 server sends to the client an authorization code. In the second part, the client POST the authorization code along with its client secret to the authority server in order to get the access token.

var OAuth2Auth = require("vertx-auth-oauth2-js/o_auth2_auth");

// Set the client credentials and the OAuth2 server
var credentials = {
  "clientID" : "<client-id>",
  "clientSecret" : "<client-secret>",
  "site" : "https://api.oauth.com"
};


// Initialize the OAuth2 Library
var oauth2 = OAuth2Auth.create(vertx, 'AUTH_CODE', credentials);

// Authorization oauth2 URI
var authorization_uri = oauth2.authorizeURL({
  "redirect_uri" : "http://localhost:8080/callback",
  "scope" : "<scope>",
  "state" : "<state>"
});

// Redirect example using Vert.x
response.putHeader("Location", authorization_uri).setStatusCode(302).end();

var tokenConfig = {
  "code" : "<code>",
  "redirect_uri" : "http://localhost:3000/callback"
};

// Callbacks
// Save the access token
oauth2.getToken(tokenConfig, function (res, res_err) {
  if (res_err != null) {
    console.error("Access Token Error: " + res_err.getMessage());
  } else {
    // Get the access token object (the authorization code is given from the previous step).
    var token = res;
  }
});

Password Credentials Flow

This flow is suitable when the resource owner has a trust relationship with the client, such as its computer operating system or a highly privileged application. Use this flow only when other flows are not viable or when you need a fast way to test your application.

var OAuth2Auth = require("vertx-auth-oauth2-js/o_auth2_auth");

// Initialize the OAuth2 Library
var oauth2 = OAuth2Auth.create(vertx, 'PASSWORD');

var tokenConfig = {
  "username" : "username",
  "password" : "password"
};

// Callbacks
// Save the access token
oauth2.getToken(tokenConfig, function (res, res_err) {
  if (res_err != null) {
    console.error("Access Token Error: " + res_err.getMessage());
  } else {
    // Get the access token object (the authorization code is given from the previous step).
    var token = res;

    oauth2.api('GET', "/users", {
      "access_token" : token.principal().access_token
    }, function (res2, res2_err) {
      // the user object should be returned here...
    });
  }
});

Client Credentials Flow

This flow is suitable when client is requesting access to the protected resources under its control.

var OAuth2Auth = require("vertx-auth-oauth2-js/o_auth2_auth");

// Set the client credentials and the OAuth2 server
var credentials = {
  "clientID" : "<client-id>",
  "clientSecret" : "<client-secret>",
  "site" : "https://api.oauth.com"
};


// Initialize the OAuth2 Library
var oauth2 = OAuth2Auth.create(vertx, 'CLIENT', credentials);

var tokenConfig = {
};

// Callbacks
// Save the access token
oauth2.getToken(tokenConfig, function (res, res_err) {
  if (res_err != null) {
    console.error("Access Token Error: " + res_err.getMessage());
  } else {
    // Get the access token object (the authorization code is given from the previous step).
    var token = res;
  }
});

AccessToken object

When a token expires we need to refresh it. OAuth2 offers the AccessToken class that add a couple of useful methods to refresh the access token when it is expired.

// Check if the token is expired. If expired it is refreshed.
if (token.expired()) {
  // Callbacks
  token.refresh(function (res, res_err) {
    if (res_err == null) {
      // success
    } else {
      // error handling...
    }
  });
}

When you’ve done with the token or you want to log out, you can revoke the access token and refresh token.

// Revoke only the access token
token.revoke("access_token", function (res, res_err) {
  // Session ended. But the refresh_token is still valid.

  // Revoke the refresh_token
  token.revoke("refresh_token", function (res1, res1_err) {
    console.log("token revoked.");
  });
});

Example configuration for common OAuth2 providers

For convenience there are several helpers to assist your with your configuration. Currently we provide:

JBoss Keycloak

When using this Keycloak the provider has knowledge on how to parse access tokens and extract grants from inside. This information is quite valuable since it allows to do authorization at the API level, for example:

var KeycloakAuth = require("vertx-auth-oauth2-js/keycloak_auth");
// you would get this config from the keycloak admin console
var keycloakJson = {
  "realm" : "master",
  "realm-public-key" : "MIIBIjANBgkqhk...wIDAQAB",
  "auth-server-url" : "http://localhost:9000/auth",
  "ssl-required" : "external",
  "resource" : "frontend",
  "credentials" : {
    "secret" : "2fbf5e18-b923-4a83-9657-b4ebd5317f60"
  }
};

// Initialize the OAuth2 Library
var oauth2 = KeycloakAuth.create(vertx, 'PASSWORD', keycloakJson);

// first get a token (authenticate)
oauth2.getToken({
  "username" : "user",
  "password" : "secret"
}, function (res, res_err) {
  if (res_err != null) {
    // error handling...
  } else {
    var token = res;

    // now check for permissions
    token.isAuthorised("account:manage-account", function (r, r_err) {
      if (r) {
        // this user is authorized to manage its account
      }
    });
  }
});

We also provide a helper class for Keycloak so that we can we can easily retrieve decoded token and some necessary data (e.g. preferred_username) from the Keycloak principal. For example:

var KeycloakHelper = require("vertx-auth-oauth2-js/keycloak_helper");
// you can get the decoded `id_token` from the Keycloak principal
var idToken = KeycloakHelper.idToken(principal);

// you can also retrieve some properties directly from the Keycloak principal
// e.g. `preferred_username`
var username = KeycloakHelper.preferredUsername(principal);

Google Server to Server

The provider also supports Server to Server or the RFC7523 extension. This is a feature present on Google with their service account.

Token Introspection

Tokens can be introspected in order to assert that they are still valid. Although there is RFC7660 for this purpose not many providers implement it. Instead there are variations also known as TokenInfo end points. The OAuth2 provider will accept both end points as a configuration. Currently we are known to work with Google and Keycloak.

Token introspection assumes that tokens are opaque, so they need to be validated on the provider server. Every time a token is validated it requires a round trip to the provider. Introspection can be performed at the OAuth2 level or at the User level:

// OAuth2Auth level
oauth2.introspectToken("opaque string", function (res, res_err) {
  if (res_err == null) {
    // token is valid!
    var accessToken = res;
  }
});

// User level
token.introspect(function (res, res_err) {
  if (res_err == null) {
    // Token is valid!
  }
});

Verifying JWT tokens

We’ve just covered how to introspect a token however when dealing with JWT tokens one can reduce the amount of trips to the provider server thus enhancing your overall response times. In this case tokens will be verified using the JWT protocol at your application side only. Verifying JWT tokens is cheaper and offers better performance, however due to the stateless nature of JWTs it is not possible to know if a user is logged out and a token is invalid. For this specific case one needs to use the token introspection if the provider supports it.

// OAuth2Auth level
oauth2.decodeToken("jwt-token", function (res, res_err) {
  if (res_err == null) {
    // token is valid!
    var accessToken = res;
  }
});