Introduction
In this tutorial, we will focus on configuring the security aspects of OIDC (OpenID Connect 1.0). Follow along as we guide you through the necessary steps to ensure a secure OIDC setup in panava/node-oidc-provider. Let's get started with configuring the security aspects of OIDC.
Key configuration
To ensure secure token validation, signing, and cookie encryption, we need to provide two types of keys: a jwk formatted key and a secure string for cookie encryption. While there are numerous jwk generator tools available, please note that the sample value provided below should not be used in production environments.
Update configs
./oidc/src/configs/configuration.ts
import { Configuration } from "oidc-provider"; export const configuration: Configuration = { jwks: { keys: [ { kty: "RSA", n: "jw3bixcae4ktBdXYcKeK5J7pmsXvQdvuOB8yv_q426tsMDlTZ1jj9CgYEZF_SCfzwQ5pcogLD-WY-LYJtt8zfjU_mWZZWcbR1QcMIWhLsSdi2OSlksIewMiv5CzvDBzs6h9sU0yr6yY6SYmT89jXU-D0MqSakDR0x0tyVUonGAWiVGJYINCCEbonoqFYAXjKdrNCCIliXiWQS6rajkEEXj0I2uQr4L1S80mSWWvDfFmFw4yC7V9nOGf1OPotscLCpT7vzlhHCuh3rY12bTEceZeARQ9G9aWQMBhQZPIPBvLdTRl5smFByFJ_FWs2yXXdHXFRo2L8UgwV2D4qVlgUXw", e: "AQAB", d: "PodKHUPd-X1-RnywfJ1fIosrhNFbwSfGupU4c529y5bkVTfZcuTxzrjvvE4imoGMFCiegsdgPnSXJq87E8oAEfxobj7Ec29qLHlGHhweabLTjAZ1MO7UzmNqLoxNeLfz_mn5yXdL9h7hf185Ym63wBwl4TT9smabXLlnokwlRmQXL-FWN5P50X60XgPG9hbv5BGPCrfbNNkLzae3fVeTfAZUYw-rwfrKN_HVUz78lo3cNhE2AVMnIF2CeZeH1xrUC81MWGJi7W1R1MtMTUObdqCpqLMtoWSojF3UT0pOMCiMeEt25EGpMiRVNy8HQD-z92uBEh8n2DYWb8Fou1Wa0Q", p: "23oJTOlWauw_fQJxBmwkfzPL_j9p_Fjtf_ThESn4ZpCkl2Y5cKSqc70bBP3SkgKRWWIt8QunkmkSHDmVzu0_UQu7YgCxqwwR8TvK8uCgNw8umtE_2w2fvf8l_863TEg4btz87kMtk01vWRUcqQxlBvd-bTmL8FDm0iblkskSpbs", q: "ptwhZzh1TkXFiglDz04_dC6s-Ek_qRxTtUSdhaRr7UDzpa_mEEd41m3kgmjgIlK-FgDpf66N4OWHQow76PVtRUAQSZDSPo4k8TNs5AY_oyzIBAWBnakfs8L368Vo4O3RZJ4wiMqnphTRGiM6rLOev74uTILcVnPgDZLbAm2Gb60", dp: "QDjIienpcKYqucDCI_f3AgW9Fmul7sJy1LNqPGSEnDaNAwRVoIF-oxld06sWN8VqlLYm7VbUtQHr27h5_q_rjCKbtUSwuHVytp0heMqD9ziJEaJTRh0JdkY370-k0Tx8zuv5UxrzNhw9jdqgpVLMKSq4outo6Gwz7qCVIsuVmks", dq: "FHPNAFryPfrdYLMMBcAAlRwXhYNs8yyOshxL9pKVzAn3E2sBFyO7kwT7SmTSfEKKHCZWeJkLuPJJZwXLXh2fHCrjFDFVI-fGbW4xPa3qZPTbO2r1XT7arO0L-HFFDrT3wo6FQm8cp4XLr5l72qlVnwkPob80hMBFSUSj5aNJJC0", qi: "MJJ6KTrCdq1gEgH-MpDF4DeXhE_dlB1P2am3juUR8ieZmohWbruBo6vmA_9Fm_lUs6V3qZ7gjbszguQZwcIFnvXceOBMH35_8TQLM3IrnNTJJTyWslrH3rdLAsIPk_x0cgIJ_gC0BHiQ9TfW8mKjGAK0JRv-V8XXnT4ZFQrlmQI", }, ], }, cookies: { keys: ["subzero"], }, }; TTL config
We have to tell the authorization server what is the lifetime of every token. Usually, we are good to go with defaults.
Update configs
./oidc/src/configs/configuration.ts
export const configuration: Configuration = { ttl: { AccessToken: function AccessTokenTTL(ctx, token, client) { if (token.resourceServer) { return token.resourceServer.accessTokenTTL || 60 * 60; // 1 hour in seconds } return 60 * 60; // 1 hour in seconds }, AuthorizationCode: 600 /* 10 minutes in seconds */, BackchannelAuthenticationRequest: function BackchannelAuthenticationRequestTTL(ctx, request, client) { if (ctx && ctx.oidc && ctx.oidc.params?.requested_expiry) { return Math.min(10 * 60, ctx.oidc.params?.requested_expiry as number); // 10 minutes in seconds or requested_expiry, whichever is shorter } return 10 * 60; // 10 minutes in seconds }, ClientCredentials: function ClientCredentialsTTL(ctx, token, client) { if (token.resourceServer) { return token.resourceServer.accessTokenTTL || 10 * 60; // 10 minutes in seconds } return 10 * 60; // 10 minutes in seconds }, DeviceCode: 600 /* 10 minutes in seconds */, Grant: 1209600 /* 14 days in seconds */, IdToken: 3600 /* 1 hour in seconds */, Interaction: 3600 /* 1 hour in seconds */, RefreshToken: function RefreshTokenTTL(ctx, token, client) { if ( ctx && ctx.oidc.entities.RotatedRefreshToken && client.applicationType === "web" && client.tokenEndpointAuthMethod === "none" && !token.isSenderConstrained() ) { // Non-Sender Constrained SPA RefreshTokens do not have infinite expiration through rotation return ctx.oidc.entities.RotatedRefreshToken.remainingTTL; } return 14 * 24 * 60 * 60; // 14 days in seconds }, Session: 1209600 /* 14 days in seconds */, }, }; Summary
Last part but not the least. We looked how we can change some default configurations to increase security. Keep in mind there are a lot of security considerations that fall beyond the scope of this article.
Final words
I hope the article has been helpful. Please help me to improve it by sending me feedback.
Top comments (0)