AuthAction is a powerful authentication and authorization platform that offers a range of features, including support for single-page applications (SPA) and machine-to-machine (M2M) applications. It provides an easy-to-use interface for managing users, roles, and organizations, and supports OAuth2 and social logins. Best of all, AuthAction is scalable, allowing up to 50,000 monthly active users for free. Whether you're developing an app for a startup or a large enterprise, AuthAction provides a flexible and secure solution for your authentication needs.
In this blog, we'll explore how to authorize NestJS APIs using AuthAction.
Overview
This application showcases how to configure and handle authorization using AuthAction’s access token in a NestJS API. It uses JSON Web Tokens (JWT) for authentication and authorization.
Prerequisites
Before using this application, ensure you have:
Node.js and npm installed: You can download and install them from nodejs.org.
Authaction API credentials: You will need to have the
tenantDomain
,apiIdentifier
from your Authaction account.
Installation
- Clone the repository (if applicable):
git clone git@github.com:authaction/authaction-nestjs-api-example.git
cd authaction-nestjs-api-example
- Install dependencies:
npm install
- Configure your Authaction credentials:
Edit the .env
and replace the placeholders with your AuthAction configurations.
AUTHACTION_DOMAIN=authaction-tenant-domain
AUTHACTION_AUDIENCE=authaction-api-identifier
Usage
- Start the development server:
npm start
This will start the Nestjs application on http://localhost:3000
.
- Testing Authorization:
To obtain an access token via client credentials, run the following curl command:
curl --request POST \
--url https://your-authaction-tenant-domain/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"your-authaction-app-clientid","client_secret":"your-authaction-app-client-secret","audience":"your-authaction-api-identifier","grant_type":"client_credentials"}'
Replace your-authaction-app-clientid, your-authaction-app-client-secret, and your-authaction-api-identifier with your actual AuthAction credentials.
You should receive an access token in response, which you can use to access protected routes.
You can call the public API without any authentication token. The GET /public
endpoint can be accessed by any user or service but protected endpoint need to be called with access token.
curl --request GET \
--url http://localhost:3000/protected \
--header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
--header 'content-type: application/json'
{
"message": "This is a protected message!"
}
Code Explanation
JWT Strategy (JwtStrategy
)
-
Overview:
- This service integrates JWT (JSON Web Token) authentication into the NestJS application using the
@nestjs/passport
andpassport-jwt
libraries. - It uses RS256 encryption with a public key retrieved dynamically from a JWKS (JSON Web Key Set) endpoint hosted by AuthAction.
- This service integrates JWT (JSON Web Token) authentication into the NestJS application using the
super()
Configuration:
-
secretOrKeyProvider:
- Uses
jwks-rsa
to fetch and cache the public keys from the AuthAction domain. - Configures the JWKS URI dynamically based on the
AUTHACTION_DOMAIN
environment variable. - Caches the JWKS response for performance and limits the number of requests to prevent rate-limiting issues.
- Uses
-
jwtFromRequest:
- Extracts the JWT token from the Authorization header using the
Bearer
schema (Authorization: Bearer <token>
).
- Extracts the JWT token from the Authorization header using the
-
issuer:
- Specifies the expected JWT issuer (the AuthAction domain).
- The value is dynamically derived from
process.env.AUTHACTION_DOMAIN
.
-
audience:
- Specifies the expected audience of the JWT, which helps ensure that the token is intended for the current application.
- The audience value is taken from
process.env.AUTHACTION_AUDIENCE
.
-
algorithms:
- Enforces the use of the
RS256
algorithm to validate the JWT signature.
- Enforces the use of the
validate(payload)
:
- This method validates the token and extracts the payload (claims).
- The payload contains user information such as the user ID and roles.
- Logging: It logs the payload for debugging purposes.
AppController (AppController
)
getPublicMessage()
:
- This endpoint returns a public message that is accessible without any authentication.
- No guards are applied here, meaning any request can access it.
getProtectedMessage()
:
- This endpoint returns a protected message and requires the user to be authenticated.
- The
@UseGuards(AuthGuard('jwt'))
decorator ensures that only users with valid JWTs can access this route. - The
AuthGuard('jwt')
uses theJwtStrategy
to validate and authenticate incoming requests.
Common Issues
Invalid Token Errors:
- Ensure that the token being used is signed by AuthAction using the
RS256
algorithm and contains the correct issuer and audience claims. - Verify that the
AUTHACTION_DOMAIN
andAUTHACTION_AUDIENCE
environment variables are correctly set.
Public Key Fetching Errors:
- If there are issues retrieving the public keys from AuthAction, check the JWKS URI and ensure your application can reach the AuthAction servers.
Unauthorized Access:
- If requests to the protected route (
/protected
) are failing, ensure that the JWT token is being correctly included in theAuthorization
header and that the token is valid.
Conclusion
Integrating authorization into a nestjs application using AuthAction is a straightforward process. This example helps streamline the setup, offering developers a robust foundation to build secure applications with minimal effort.
If you run into any issues, double-check your configurations to ensure everything is set up correctly. Happy coding!
Feel free to leave your thoughts and questions in the comments below!
Top comments (0)