anvilresearch / connect-js Goto Github PK

Anvil Connect JavaScript client for web browsers

License: MIT License

HTML 1.06% JavaScript 70.66% CoffeeScript 28.28%

connect-js's Introduction

NOTICE

We’re archiving Anvil Connect and all related packages. This code is entirely MIT Licensed. You’re free to do with it what you want. That said, we are recommending against using it, due to the potential for security issues arising from unmaintained software. For more information, see the announcement at anvil.io.

Anvil Connect JavaScript Client

Install

$ bower install anvil-connect --save

API Documentation

Anvil.configure(options)

Anvil.toFormUrlEncoded(obj)

Anvil.parseFormUrlEncoded(str)

Anvil.getUrlFragment(url)

Anvil.popup(popupWidth, popupHeight)

Anvil.session

Anvil.serialize()

Anvil.deserialize()

Anvil.reset()

Anvil.uri()

Anvil.nonce()

Anvil.sha256url()

Anvil.headers()

Anvil.request()

Anvil.userInfo()

Anvil.callback(response)

Anvil.authorize()

Anvil.signout(path)

Anvil.destination(path)

Anvil.checkSession(id)

Anvil.updateSession(event)

Anvil.isAuthenticated()

Anvil.getKeys()

AngularJS Usage

Be sure to register your app as a client with your Anvil Connect provider to obtain credentials.

Authenticate with a popup window

First copy callback.html from this repository into your public assets, and add anvil-connect.angular.js to your index.html file.

<script src="bower_components/angular/angular.js"></script>
<!-- ... -->
<script src="bower_components/sjcl/sjcl.js"></script>
<script src="bower_components/anvil-connect/anvil-connect.angular.js"></script>
<!-- ... -->
<script src="scripts/app.js"></script>
<!-- ... -->

Then you can load the module and configure the provider.

angular.module('App', ['...', 'anvil'])

  .config(function (..., AnvilProvider) {

    AnvilProvider.configure({
      issuer:       'http://localhost:3000',
      client_id:    '<CLIENT_ID>',
      redirect_uri: '<YOUR_APP_HOST>/callback.html',
      display:      'popup'
    });

    // ...

  })

You can inject the Anvil service into your controllers and call Anvil.authorize() wherever you want to initiate an OpenID Connect authentication flow.

  .controller(function ($scope, ..., Anvil) {
    $scope.signin = function () {
      Anvil.authorize();
    };
  })

Authenticate with full page navigation

Configuring the service to use full page navigation is similar to popup configuration, but requires a route definition to handle the authorization response from Anvil Connect:

angular.module('App', ['...', 'anvil'])

  .config(function (..., $routeProvider, AnvilProvider) {

    AnvilProvider.configure({
      issuer:       'http://localhost:3000',
      client_id:    '<CLIENT_ID>',
      redirect_uri: '<YOUR_APP_HOST>/callback',
      // `display` defaults to "page"
    });

    $locationProvider.html5Mode(true);
    $locationProvider.hashPrefix = '!';

    $routeProvider

      // ...

      .when('/callback', {
        resolve: {
          session: function ($location, Anvil) {
            Anvil.authorize().then(
              function (response) {
                $location.url('/');
              },
              function (fault) {
                // your error handling
              }
            )
          }
        }
      })

      // ...

  })

connect-js's People

Contributors

Stargazers

Watchers

Forkers

bauglir henrjk nheijminkccv thebalkanfella ramiel blocka zafeer ej-labs marton987 cpwc swipswaps

connect-js's Issues

Webcrypto API

We've experimented with a number of JavaScript crypto libraries (sjcl, crypto-js, jsrsasign, etc) in this package for various purposes. The most important case is verifying signatures. In the meantime, the WebCrypto API has been maturing and will eventually be ready to replace some or all of these dependencies.

We need to explore the potential for rewriting some of this code using WebCrypto, take stock of it's readiness for general use, and consider implementing fallbacks for older browsers that will continue to require polyfills or additional optional dependencies.

Support state parameter

The client should handle state param as specified in OpenID Connect Core and RFC6749

Mode to have page display in own window

The openid specs has an optional display request parameter with values page, popup, touch and wap.

It appears that independent(!?) from this there is also a choice on how to integrate this into the browser client app. Currently this library supports this by the configuration property display which has values popup or page (default). This is described in Readme.md

Note that page is implemented as a full page navigation (`window.location = ) which means that the app will be reloaded. This can be problematic for Single Page Apps.

A client should be able to display a full login page in a tab or window without having to do a reload.
This would behave similar to a popup on mobile devices. Mobile Safari does not support popups and opens a new tab instead.

One way to this would be to have the display configuration be popup, open_window ,same_windowwheresame_windowwould be the currentpage` setting.

Would this make sense?

Use new jsrsasign/jsjws

Will be great if lib is compatible with breaking changes in jsrsasign/jsjws
Problem is described here
anvilresearch/connect-jwt#7
Until breaking changes are implemented, dependencies can be updated to
"jsrsasign": "4.9.2"

I don't feel enough experienced in this area to do it myself...

popup does not work on IOS

This is with IOS version 8.2 (on IPad 2nd gen).

I tried using the display popup mode from the angular example (https://github.com/anvilresearch/connect-example-angularjs, see https://github.com/henrjk/connect-example-angularjs/blob/tryit/README.md).

To enable testing from my devices I am using grunt serve of the example while changing the hostname to 0.0.0.0 here). This allows to access the page with the private IP address of my dev machine in my home network.
I configured the anvil-connect server so that callbacks and auth server also use that private IP address.

This works fine from the desktop and also on an Android Nexus 4, with Android 4.4.4 and Chrome 43.0.2357.93.

However when I touch SignIN on mentioned IPad nothing happens. The behaviour is the same in both Chrome (43.0.2357.61) and Safari (from User-Agent: Version/8.0 Mobile/12D508 Safari/600.1.4).

Earlier I had made some changes in the anvil-connect.angular.js to see how opening a new tab would work instead of reloading the URL in display page mode. As this had worked fine I suspected that the problem was the popup() function

Indeed when I comment out the || $document.documentElement.clientWidth and || $document.documentElement.clientHeight the popup works.

I have not yet actually debugged into this.

This is not directly related but I mention it as the resolution might be affected by this. I believe a display page mode which is presented in a new tab is a valid option also which makes more sense to me in a single page app then a page reload.

Transparently refreshing access tokens

Problem: When an access token expires, we must get a new one so the user can both remain logged in and make requests to authorized service endpoints.

Ideally:

The process of refreshing should be invisible to the user. If an application "requires authentication" on all routes and auto-redirects to the anvil server, it will get a new token back (via the normal auth flow). However, this is obviously not using the "refresh" token that is in place...and it causes a redirect & full page refresh.
Refreshing should not take place as part of a user-initiated task. Ideally the token would be "auto-refreshed" prior to its expiration to prevent subsequent requests to service endpoints the application depends on from failing. It would be relatively trivial to monitor outgoing request and refresh only when necessary. However, I feel this is less than ideal because:
1. The next service API call would incur the cost of the refresh request in addition to the API service request itself.
2. If multiple API calls were to take place in parallel, I believe a race condition/error would present itself at some point (one succeeds, one does not...how does failed request recover).

Any ideas on how to handle this? (my primary concern with this is in the context of an AngularJS application...but feel free to interpret outside that context as well if desired)