[aerogear-dev] Node.js / Passport.js thoughts (was: Re: OAuth2, OpenID connect and AeroGear)

Brian Leathem bleathem at gmail.com
Thu Oct 30 14:43:12 EDT 2014 

As a learning exercise I just wrote a MEAN application with both web and
mobile (cordova) front-ends.  The Node.js backend is using passport.js
to both authenticate against Gooale's Oauth2 and to secure the REST API
I implemented with Express.

I should be able to spare some cycles if you could use some extra hands
on this.

Brian

On 14-10-30 11:21 AM, Lucas Holmquist wrote:
>
>> On Oct 30, 2014, at 2:20 PM, Matthias Wessendorf <matzew at apache.org
>> <mailto:matzew at apache.org>> wrote:
>>
>>
>>
>> On Thu, Oct 30, 2014 at 7:13 PM, Lucas Holmquist <lholmqui at redhat.com
>> <mailto:lholmqui at redhat.com>> wrote:
>>
>>
>>>     On Oct 30, 2014, at 9:41 AM, Matthias Wessendorf
>>>     <matzew at apache.org <mailto:matzew at apache.org>> wrote:
>>>
>>>     Hello team!
>>>
>>>     On Thu, Oct 9, 2014 at 4:49 AM, Bruno
>>>     Oliveira <bruno at abstractj.org <mailto:bruno at abstractj.org>> wrote:
>>>     Note: Not only for Keycloak, but also compatible with other
>>>     technologies
>>>     like passport on Node.js. 
>>>
>>>     Great point on being compatible with passport.js! To ensure our
>>>     OAuth2 client SDKs do work against node.js (w/ passport.js), how
>>>     about we build a Node.js based version of our "Shoot-n-Share
>>>     backend" ([1]), that is protected by Passport.js?
>>
>>     So to clear up some confusion that might be happening with what
>>     passport is, it is not an OAuth2 server thing.
>>
>>     it’s really just middleware(think of it as a servlet filter for
>>     you java weenies) for express.js,  and by using adapters(like a
>>     FB or google), it can secure RESTful endpoints in that express.js
>>     app.
>>
>>     I think the thing that we can do here is make a keycloack adapter
>>     for passport, using the OAuth2 protocol( similar to passports FB
>>     and google adapters );
>>
>>
>> +1 would be nice to get this in https://issues.jboss.org/browse/AGJS-252
>>
>> On short term, it would be possible to use their existing adapters
>> for FB/Google and protect the node.js backend with these adapters,
>> right ?
>
> i think we can do that
>
>>
>>
>> Sounds like the AGJS-252 is the ultimate solution we want, but I
>> think for a quick test/verification (or even example) of our
>> Android/iOS OAuth2 clients, using the FB/Google adapters from
>> passprt.js would be a good first start ?
>>
>> -Matthias
>>
>>
>>
>>  
>>
>>
>>
>>
>>>
>>>     It could be a (simple) a 'clone' of our java version. I think
>>>     for Luke, our Node.js pro, it would be a fairly simple task :)
>>>
>>>     On the client side, the Android/iOS versions of Shoot-n-Share
>>>     would simply offer a new upload target for Passport.js, instead
>>>     of 'just' FB, Google-Drive and Keycloak.
>>>
>>>     That way we will also learn how much Passport.js is actually
>>>     different, similar to what we learned on how Google/FB are
>>>     different ;-)
>>>
>>>     Another interesting aspect of this is that, once we are ready to
>>>     release our OAuth2 SDKs, it would be awesome to actually ship a
>>>     node.js based demo as well, instead of just a Java-based backend
>>>     demo. That would clearly show, our client libs are working
>>>     across different backend technologies.
>>>
>>>     Any thoughts?
>>>
>>>     -Matthias
>>>
>>>
>>>     [1] https://github.com/aerogear/aerogear-backend-cookbook/tree/master/Shoot
>>>
>>>
>>>      
>>>
>>>         In the end, OAuth2 is just a protocol and
>>>         should support other servers.
>>>
>>>         - Should we provide examples for OpenID connect? Or
>>>         abstractions?
>>>
>>>         To track this issue, we have the following Jira[3] and
>>>         another for
>>>         OpenID connect[4]. Fell free to link to your respective project.
>>>
>>>
>>>         [1] -
>>>         http://transcripts.jboss.org/meeting/irc.freenode.org/aerogear/2014/aerogear.2014-10-08-14.00.html
>>>
>>>         [2] - https://gist.github.com/abstractj/04136c6df85cea5f35d1
>>>
>>>         [3] - https://issues.jboss.org/browse/AGSEC-180
>>>
>>>         [4] - https://issues.jboss.org/browse/AGSEC-190
>>>         --
>>>
>>>         abstractj
>>>         PGP: 0x84DC9914
>>>         _______________________________________________
>>>         aerogear-dev mailing list
>>>         aerogear-dev at lists.jboss.org
>>>         <mailto:aerogear-dev at lists.jboss.org>
>>>         https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>>
>>>
>>>     -- 
>>>     Matthias Wessendorf 
>>>
>>>     blog: http://matthiaswessendorf.wordpress.com/
>>>     sessions: http://www.slideshare.net/mwessendorf
>>>     twitter: http://twitter.com/mwessendorf
>>>     _______________________________________________
>>>     aerogear-dev mailing list
>>>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>     _______________________________________________
>>     aerogear-dev mailing list
>>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>>
>> -- 
>> Matthias Wessendorf 
>>
>> blog: http://matthiaswessendorf.wordpress.com/
>> sessions: http://www.slideshare.net/mwessendorf
>> twitter: http://twitter.com/mwessendorf
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141030/dc4e655e/attachment-0001.html

More information about the aerogear-dev mailing list