Introduction
In this tutorial, we will focus on configuring the security aspects of OIDC (OpenID Connect 1.0). Follow along as we guide you through the necessary steps to ensure a secure OIDC setup in panava/node-oidc-provider. Let's get started with configuring the security aspects of OIDC.
Key configuration
To ensure secure token validation, signing, and cookie encryption, we need to provide two types of keys: a jwk formatted key and a secure string for cookie encryption. While there are numerous jwk generator tools available, please note that the sample value provided below should not be used in production environments.
Update configs
./oidc/src/configs/configuration.ts
import { Configuration } from "oidc-provider";
export const configuration: Configuration = {
jwks: {
keys: [
{
kty: "RSA",
n: "jw3bixcae4ktBdXYcKeK5J7pmsXvQdvuOB8yv_q426tsMDlTZ1jj9CgYEZF_SCfzwQ5pcogLD-WY-LYJtt8zfjU_mWZZWcbR1QcMIWhLsSdi2OSlksIewMiv5CzvDBzs6h9sU0yr6yY6SYmT89jXU-D0MqSakDR0x0tyVUonGAWiVGJYINCCEbonoqFYAXjKdrNCCIliXiWQS6rajkEEXj0I2uQr4L1S80mSWWvDfFmFw4yC7V9nOGf1OPotscLCpT7vzlhHCuh3rY12bTEceZeARQ9G9aWQMBhQZPIPBvLdTRl5smFByFJ_FWs2yXXdHXFRo2L8UgwV2D4qVlgUXw",
e: "AQAB",
d: "PodKHUPd-X1-RnywfJ1fIosrhNFbwSfGupU4c529y5bkVTfZcuTxzrjvvE4imoGMFCiegsdgPnSXJq87E8oAEfxobj7Ec29qLHlGHhweabLTjAZ1MO7UzmNqLoxNeLfz_mn5yXdL9h7hf185Ym63wBwl4TT9smabXLlnokwlRmQXL-FWN5P50X60XgPG9hbv5BGPCrfbNNkLzae3fVeTfAZUYw-rwfrKN_HVUz78lo3cNhE2AVMnIF2CeZeH1xrUC81MWGJi7W1R1MtMTUObdqCpqLMtoWSojF3UT0pOMCiMeEt25EGpMiRVNy8HQD-z92uBEh8n2DYWb8Fou1Wa0Q",
p: "23oJTOlWauw_fQJxBmwkfzPL_j9p_Fjtf_ThESn4ZpCkl2Y5cKSqc70bBP3SkgKRWWIt8QunkmkSHDmVzu0_UQu7YgCxqwwR8TvK8uCgNw8umtE_2w2fvf8l_863TEg4btz87kMtk01vWRUcqQxlBvd-bTmL8FDm0iblkskSpbs",
q: "ptwhZzh1TkXFiglDz04_dC6s-Ek_qRxTtUSdhaRr7UDzpa_mEEd41m3kgmjgIlK-FgDpf66N4OWHQow76PVtRUAQSZDSPo4k8TNs5AY_oyzIBAWBnakfs8L368Vo4O3RZJ4wiMqnphTRGiM6rLOev74uTILcVnPgDZLbAm2Gb60",
dp: "QDjIienpcKYqucDCI_f3AgW9Fmul7sJy1LNqPGSEnDaNAwRVoIF-oxld06sWN8VqlLYm7VbUtQHr27h5_q_rjCKbtUSwuHVytp0heMqD9ziJEaJTRh0JdkY370-k0Tx8zuv5UxrzNhw9jdqgpVLMKSq4outo6Gwz7qCVIsuVmks",
dq: "FHPNAFryPfrdYLMMBcAAlRwXhYNs8yyOshxL9pKVzAn3E2sBFyO7kwT7SmTSfEKKHCZWeJkLuPJJZwXLXh2fHCrjFDFVI-fGbW4xPa3qZPTbO2r1XT7arO0L-HFFDrT3wo6FQm8cp4XLr5l72qlVnwkPob80hMBFSUSj5aNJJC0",
qi: "MJJ6KTrCdq1gEgH-MpDF4DeXhE_dlB1P2am3juUR8ieZmohWbruBo6vmA_9Fm_lUs6V3qZ7gjbszguQZwcIFnvXceOBMH35_8TQLM3IrnNTJJTyWslrH3rdLAsIPk_x0cgIJ_gC0BHiQ9TfW8mKjGAK0JRv-V8XXnT4ZFQrlmQI",
},
],
},
cookies: {
keys: ["subzero"],
},
};
TTL config
We have to tell the authorization server what is the lifetime of every token. Usually, we are good to go with defaults.
Update configs
./oidc/src/configs/configuration.ts
export const configuration: Configuration = {
ttl: {
AccessToken: function AccessTokenTTL(ctx, token, client) {
if (token.resourceServer) {
return token.resourceServer.accessTokenTTL || 60 * 60; // 1 hour in seconds
}
return 60 * 60; // 1 hour in seconds
},
AuthorizationCode: 600 /* 10 minutes in seconds */,
BackchannelAuthenticationRequest:
function BackchannelAuthenticationRequestTTL(ctx, request, client) {
if (ctx && ctx.oidc && ctx.oidc.params?.requested_expiry) {
return Math.min(10 * 60, ctx.oidc.params?.requested_expiry as number); // 10 minutes in seconds or requested_expiry, whichever is shorter
}
return 10 * 60; // 10 minutes in seconds
},
ClientCredentials: function ClientCredentialsTTL(ctx, token, client) {
if (token.resourceServer) {
return token.resourceServer.accessTokenTTL || 10 * 60; // 10 minutes in seconds
}
return 10 * 60; // 10 minutes in seconds
},
DeviceCode: 600 /* 10 minutes in seconds */,
Grant: 1209600 /* 14 days in seconds */,
IdToken: 3600 /* 1 hour in seconds */,
Interaction: 3600 /* 1 hour in seconds */,
RefreshToken: function RefreshTokenTTL(ctx, token, client) {
if (
ctx &&
ctx.oidc.entities.RotatedRefreshToken &&
client.applicationType === "web" &&
client.tokenEndpointAuthMethod === "none" &&
!token.isSenderConstrained()
) {
// Non-Sender Constrained SPA RefreshTokens do not have infinite expiration through rotation
return ctx.oidc.entities.RotatedRefreshToken.remainingTTL;
}
return 14 * 24 * 60 * 60; // 14 days in seconds
},
Session: 1209600 /* 14 days in seconds */,
},
};
Summary
Last part but not the least. We looked how we can change some default configurations to increase security. Keep in mind there are a lot of security considerations that fall beyond the scope of this article.
Final words
I hope the article has been helpful. Please help me to improve it by sending me feedback.
Top comments (0)