Leandro Boffi

Syndicate content
Cloud, Identity, Mobility and Software Architecture.
Updated: 13 hours 19 min ago

Releasing Astor: A developer tool for token-based authentication

Sun, 2014-04-13 10:09

I’ve just published in NPM the first version of Astor. Astor is a command line developer tool that helps you when you work with token-based authentication systems.

At this moment, it allows you to issue tokens (right now it supports JWT and SWT formats) to tests your APIs, basically you can do something like this:

$ astor issue -issuer myissuer -profile admin -audience http://myapi.com/

The result of running that command will be something like this:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy 93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiTGVhbkIiLCJhdWQiOiJodHRwOi8vc mVseWluZ3BhcnR5LmNvbS8iLCJpc3MiOiJodHRwOi8vbXlpc3N1ZXIuY29tLyIsImlhdCI6MTM5 NzM3NjU5MX0.d6Cb0IQsltocjOtLsfXhjseLcZpcNIWnHeIv4bqrCv4

Yes! a signed JWT ready to send to your api!

Astor basically works with a configuration file that saves issuers, user profiles and issueSessions configurations, that’s why you can say -issuer myissuer or -profile admin without specifing issuer key and user claims. To clarify, this is how astor.config looks:

{ "profiles": { "me@leandrob.com": { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "Leandro Boffi", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email": "me@leandrob.com" }, "admin": { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "John Smith", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email": "John Smith", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role": "Administrator", } }, "issuers": { "contoso": { "name": "contoso", "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEow.... AKCAQEAwST\n-----END RSA PRIVATE KEY-----\n" }, "myissuer": { "name": "http://myissuer.com/", "privateKey": "MIICDzCCAXygAwIBAgIQVWXAvbbQyI5BcFe0ssmeKTAJBg=" } } }

Did you get that? Once you have created the different profiles and issuers you can combine them very easily to have several tokens.

Off course you can start from scratch and specify the whole parameters in a single command without using the config file:

$ astor issue -n http://myissuer.com/ -l privateKey.key -a http://relyingparty.com/ Create user profile... Here you have some common claimtypes, just in case: - Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email - Name Identifier: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier - User Principal: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn claim type (empty for finish): http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name claim value: Leandro Boffi claim type (empty for finish): http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email claim value: me@leandrob.com claim type (empty for finish): Would you like to save the profile? y Enter a name for saving the profile: me@leandrob.com eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2 lkZW50aXR5L2NsYWltcy9lbWFpbCI6Im1lQGxlYW5kcm9iLmNvbSIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL 3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiOiJMZWFuZHJvIEJvZmZpIiwiYXVkIjoiaHR0cDovL3JlbHlp bmdwYXJ0eS5jb20vIiwiaXNzIjoiaHR0cDovL215aXNzdWVyLmNvbS8iLCJpYXQiOjEzOTczODMwMzR9.1vy9kyY26N wjOQ4gqfy5ZBIQgovgw0gxd4TcVXWzFok Would you like to save the session settings? y Enter session name: token-for-test

As you can see, if you don’t use an stored profile you will be prompt for creating the profile in the moment, and once you have created the profile you can save it on configuration for the future!

And finally, you can provide a name for the whole session, in the example token-for-test, so next time you have to use the same settings you can do:

$ astor issue -s token-for-test

How to install it?

$ npm install -g astor

Next steps?

I’ll be adding token validation functionality, together with other token formats like SAML and maybe authentication flows!

Check readme on github for detailed documentation: https://github.com/leandrob/astor

Hope you found it useful!

Categories: Blogs

Code Coverage in Node.js

Tue, 2014-03-11 23:09

This time I want to share with you something I found very useful. Istanbul (http://gotwarlost.github.io/istanbul/) a code coverage report tool.

It’s very easy to use, you just need to use, you just need to install it like:

$ npm install -g istanbul

And run it on your solution, for example If you use mocha:

$ istanbul cover _mocha -- -R spec

If you are using windows, you must provide the relative path to the _mocha file:

$ istanbul cover node_modules/mocha/bin/_mocha -- -R spec

or if you have mocha installed globally:

$ istanbul cover c:\Users\[your user]\AppData\Roaming\npm\node_modules\ mocha\bin\_mocha -- -R spec

and this will be the result:

Screen Shot 2014-03-11 at 7.54.49 PM

Once you ran you can open the html report like that:

$ open coverage/lcov-report/index.html

This is how it looks like:

Screen Shot 2014-03-11 at 7.49.41 PM

You can even look at the lines that your are not testing:

Screen Shot 2014-03-11 at 7.51.05 PM

Just a final tip: Add the command to your package.json to run it every time you do npm test:

"scripts": { "test": "istanbul cover _mocha -- -R spec" }
Categories: Blogs

SAML 2.0 Tokens and Node.js

Wed, 2014-03-05 17:32

As part of my work at Kidozen related to identity management I’ve just published a new version of a Node.js module that allows you to parse and validate SAML 2.0 Assertions (Just like the ones that ADFS uses). It also supports SAML 1.1 tokens.


$ npm install saml20


The module exposes two methods, validate and parse, the first one validates the signature, expiration and (optional) audience URI, and the second one just parses the token avoiding validations, this is useful in multiple IdP scenarios.

This is an example on how to validate a SAML assertion:

var saml = require('saml20'); var options = { thumbprint: '1aeabdfa4473ecc7efc5947b18436c575574baf8', audience: 'http://myservice.com/' } saml.validate(rawAssertion, options, function(err, profile) { // err var claims = profile.claims; // Array of user attributes; var issuer = profile.issuer: // String Issuer name. });

You can use thumbprint or full public key as options. Checkout the github repository page for more examples: https://github.com/leandrob/saml20

I’ve also published an example on how to secure a REST API using this module: https://github.com/kidozen/node-rest-saml.

Categories: Blogs