Skip to content

leesei/docker-auth-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
context
context
 
 
sample
sample
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 

Repository files navigation

docker-auth-server

leesei/auth-server

Dockerized JWT key server with auth0/node-jsonwebtoken.

  • load signature keys (X.509 RS256 key pair) and users JSON from file system
    /config/jwt_private.pem, /config/jwt_public.pem, /config/users.json
    compatible with docker secret and config
  • does not support secured connection
    relies on the network layer (reverse proxy, VPC or secure overlay network) for security
  • listens on port 8000 by default
  • supports svg-captcha MFA
    client must use /captcha or /captcha.html and solve the captcha first
    temp sessions will be created with techfort/LokiJS
  • Captcha is disable by default
    use --captcha and Docker COMMAND to enable
  • Compare with bcrypt hashed password
    helper script password_hash.js
    use --plaintext to disable hashed match (NOT RECOMMENDED FOR PRODUCTION)

Configs

All [time] configs accept formats supported by vercel/ms.

ENV variable Description
DEBUG Debug flag (dotenv and server)
ISSUER JWT issuer
EXPIRY [time] JWT expiry period
SESSION_TTL [time] Captcha expiry period
PUBLIC_KEY_PATH Path for X.509 RS256 public key
PRIVATE_KEY_PATH Path for X.509 RS256 private key
USERS_PATH Path for users.json

JWT RS256 Key Pair

Sample RS256 key pair is in sample/, DO NOT use them in production.

RSA key pair creation commands:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
  -keyout jwt_private.pem -out jwt_public.pem

TODO: add Node.js instructions (with crypto.generateKeyPairSync())

User Credentials

Sample user_plaintext.json/users.json are in sample/, DO NOT use them in production.
Hashed password can be created with:

cd context/app/
./password_hash.js pa$$w0rd  # single password
./password_hash.js users_plaintext.json > user.json  # hash all `password` fields JSON file

scope field is added to the claim, it is compatible to Hapi's authorization convention

Starting server

# local development, configured to load `../../sample/`
cd context/app/
yarn start
# docker staging, using mount
docker run -it --rm --name docker-auth-server -p 8000:8000 \
  -v $PWD/sample:/configs \
  -v $PWD/context/app:/pwd -w /pwd \
  --entrypoint bash \
  leesei/auth-server
# docker, using docker secret and config
cd sample/    # or your deployment config
docker secret create jwt_private ./jwt_private.pem
docker secret create users ./users.json
docker config create jwt_public ./jwt_public.pem

docker service create --name docker-auth-server -p 8000:8000 \
  --secret source=jwt_private,target=/configs/jwt_private.pem \
  --secret source=users,target=/configs/users.json \
  --config source=jwt_public,target=/configs/jwt_public.pem \
  leesei/auth-server

Endpoints

# getting JWT
xh -b POST http://localhost:8000/ username=admin password=admin
xh -b POST http://localhost:8000/ username=user password=user

# validating JWT
TOKEN=$(xh -b POST http://localhost:8000/ username=admin password=admin)
xh -b "http://localhost:8000/verify/$TOKEN"

# validating JWT with captcha enabled
# get and solve captcha at `http://localhost:8000/captcha.html` first
TOKEN=$(xh -b POST http://localhost:8000/ username=admin password=admin sessionId=Xe7OiAoluOSLhyVtPD8S9 captcha=ZQJR)
xh -b "http://localhost:8000/verify/$TOKEN"

About

Dockerized JWT key server

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

6 tags

Packages

No packages published

Languages