Light Authentication with NodeJS, express and external authentication provider

How many times you were asked to ‘create a tool’ or to ‘automate a process’? probably many, and from those times, how did you managed your authentication ? This guide can help you easily add authentication to you application.

Motivation

When developing an internal tool, you will probably have 3 options:

  1. Your app is running without user authentication phase.
  2. Your ecosystem already has a kind of authentication ‘micro-service’ that provide you all you need.
  3. You can create a light authentication proxy using external authentication provider such as Jira which supports SSO for multiple applications within a single domain. (yay, who doesn’t have a Jira account these days?)

When talking about internal tools, you will still prefer to keep up with standard and secured authentication and best practices. You might want to manage permissions and access control, user’s view and groups, and ensuring API calls are secured.

You guessed it right, we will discuss option number 3!

Creating a light authentication service with NodeJS and external authentication provider will allow you to avoid using any kind of storage/DB component, you will not need to mess around with group and permission logic, tokenization and other “boring” security features.

Using an external authentication provider such as Atlassian Crowd Rest API will provide you a visual portal where you can mange your users, groups and permissions easily and even export existing Jira accounts/groups from different apps.

The only downside I found is that you are depending on a 3rd party provider. But still, the trade off is pretty clear when you think about how common it is and all these free and cool features you can get.

Architecture

High Level Architecture

We have 4 players in the game:

  • Frontend- represent all UI components and user perspective.
  • Backend Server- response to business logic calls.
  • Web Server- middle layer component that used as proxy, communicating with all other components in the field.
  • Authentication Provider- external provider such as Atlassian Crowd Rest API.

The purpose of the system is to provide one source of truth in matters of authentication that will be consumed only by the web server middleware.

All requests will address from the Frontend to /proxy router. /proxy/* requests will be managed according to the requested path. Proxy router will take requests, authenticate it through the authentication provider, communicate with the Backend server and send back the response to the Frontend.

Sequence Diagrams

Login

A new user is launching the login page inserting username and password. API request is being sent to the web server which is creating a session with the provided credentials. Authentication provider is responding with session object that contains the user token. The web server is sending the encrypted token to the FE which saves it in localStorage.

In case it’s a returning user in the login page, FE is sending an authentication request with the saved token and redirecting to the application in case it’s validated.

Authentication Failed

All Rest requests will be sent to the web server with the user token. Web server will send authentication request with the token and send back error response to the FE that will redirect to login page and clear it’s localStorage.

Authentication Succeeded

When the web server is receiving a validated token response, it’s addressing the original request according to the requested path url and payload.

Show me some code

Basic NodeJS express server with proxy router.

Proxy router will get all method requests and handle them, except for /proxy/api requests which will be handled by a sub router called login.

You will need to create a Crowd Server (follow Jira instructions). And configure it according to your application needs.

For the above example I used atlassian-crowd-client, which is a promise-based client library to communicate with an Atlassian Crowd server from Node, written in ES6. It only handle the responses and errors for me, you can communicate directly with Crowd REST APIs if you wish so.

Summary

This code is lightweight! you can easily create authentication service for your internal tools and get some free and cool features that will allow you to manage you application like a pro and in a secure manner.

PM for questions, full code sample and follow me on twitter @DekelYarin.