Skip to content

Latest commit

 

History

History
130 lines (92 loc) · 3.59 KB

README.md

File metadata and controls

130 lines (92 loc) · 3.59 KB

oAuth2 Authentication Proxy for JavaScript SPA Applications

Deploy an oAuth2 authentication proxy for your JavaScript SPA applications. This app allows you to protect your client_id and client_secret and maintain a csrf protected session using cookies.

NB: This application is built using Slim Framework and tested using an oAuth2 implementation for Laravel Passport

If you have any ideas, concerns e.t.c please open a pull request. Contribution is highly encouraged.

Deploying with Nginx

NB: This application must be deployed in the same domain name as your SPA application in order to bypass CORS (This is for security measures - if you have to enable CORS then this might not be the correct solution for you)

NB: It's highly recommended you run this proxy app under HTTPS

Deploy the App

Clone the App to your server (If you have to do modifications to the code then fork it from the repo) If you endup adding nice goodies then please share by opening a pull request.

git clone https://github.com/evansmwendwa/oauth2-proxy.git

Install Dependencies using Composer

cd oauth2-proxy
composer install

Generate .env file

cp .env.dist .env

Update your .env file to include your client_id and client_secret see .env.dist for required settings. You can also put them in your servers environment variables but still have an empty .env file if you go that route.

Update your Nginx conf

NB: Optimize your nginx conf to your preferences. The only requirement here is for both your SPA app and the proxy app to run in the same domain name. It's recommended to have both under HTTPS for obvious reasons.

server {

    # ....
    root /static/files/build
    try_files $uri /index.html?$query_string;

    location /proxy {
        alias /proxy/app/public;
        try_files $uri $uri/ $uri/index.php?$args;
        fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
    }
}

Localhost testing

You can run the proxy using php cli server for testing which will run the app in http://localhost:9000 we have included a bash script to make this easy.

NB: running on a different port does not hinder CORS or cookie sharing

bash start.sh

Authentication Routes

Both routes are protected with a csrf token. The csrf token will be passed via a cookie XSRF-TOKEN the first time you make a request to /refresh. After that every concecutive request must provide the csrf token via an header X-XSRF-TOKEN. This is done in order to protect the csrf token from being passed to the proxy without a CORS request.

Invalid CSRF token response

"authenticated": false,
"token": {
  "error": "csrf_validation_failure",
  "message": "Missing or invalid csrf token"
}

Login (POST)

/login

Params

{
  "username": "username",
  "password": "password"
}

Response

{
  "authenticated": true,
  "token": "token"
}

Refresh (GET)

If any request to /refresh returns authenticated:false then redirect the user to /login so that they can authenticate the session using a username and password

/refresh

Authenticated Response

All Authenticated responses from either /login or /refresh will return the following type of response.

{
    "authenticated": true,
    "token": {
        "token_type": "Bearer",
        "expires_in": 18000,
        "access_token": "eyJ0eXAiOiJKV1Qi3QLaifYLsJrtlSQz1JFoGhnOKSoSLJ7ji-tZnFWYsNvdBXS_5lN_sWrAQsOZHdvui7Q918V-GAr7Ele7M"
    }
}