#authentication

Hello
I'd like to implement (using best practies and standards) an authentication server using NestJS.
I'd like to build an auth server for a native app.
Is there any good specification how endpoints should be implemented and/or some best advices?
Generally speaking, I thought that e.x OAuth2 is an authorization protocol but the more articles I read about authentication, the more confused I become...
Of course I can implement /singup, /signin, /refresh, /logout endpoints and do the logic but maybe there is a better way to understand all this better.
I was also wondering, should I combine user data (e.g. name, age) with the user account (email, password) or should I treat such entities individually designing the server architecture?
I will be grateful for any help and discussion 🙂

Honestly just go with existing solutions such as keycloak, ory, okta... This problem has already been solved.

You mentionned oauth which is a standard protocol implemented by the apps I mentionned, implementing it yourself would be too hard.

To understand it I suggest reading about oauth2 on auth0’s web site who has great docs or reading the rfcs.
This way you would have a centralized authentication system your apps, users, people inside your own company, etc.

Thanks for the reply, Im doing a project to learn it so no necessarily need to use existing solutions. btw isnt keycloak only available for Java?
Yeah and isnt OAuth just about authorizatoon? I know i will need it to access resources but the only thing that I care about now is authentication
I dont get it why OAuth would describe authentication if it is authorizatoon protocol 🤔I think this is where I'm lost

edit: I can see keycloak connector for NodeJS, I though it is only available for java

OAuth is about a giving acces to a users resources to a third party without giving your credentials.

Keycloak is an identity and access management provider, it supports oauth2 and oidc, meaning it also provides identies to user (password, email, username, roles, etc.). Its indeed a java application but it can be used with any other technology.

One example is the PKCE flow with is a series of redirections and requests between a website for example, and an authorization server (such a Google’s, or github’s).

This works with any language

You should definetly dig around docs and videos because this is a very complex subject

Yesterday I found a great video from Okta about oauth and oidc.
I didn't know that companies like facebook, google etc. have used OAuth as authentication protocol 😄 and for this reason OIDC have been created as an extension for OAuth so the clients can request for openid profile scope and I think that is why it is believed that oauth is also used for authenticaiton, because basically it indirectly so

I also decided to hook into keycloak as soon as I manage to understand more advanced topics related to auth flows, especially pkce in device auth grant or auth code grant with pkce

Great, I had a hard time event trying to understand it, if you’re familiar with react I can suggest axa-fr/react-oidc to see the pkce flow in action

Then for nest, its simple you just need to code a guard who handles jwk

It youre stuck I can provide help

I guess for nest an auth guard would have to call KC server to authorize and that's all?

thanks! Could you tell me which flow will fit best for native app in your opinion?

I've seen that the most secure way to solve it is to open a signin webpage over the app where user can enter login/password and it is sent via cookies AFAIK and the app gets back through Linking with an access token (so I guess the authentication is hybrid: auth_code is requested via login/pass and then it is exchanged for an access token?)

nope

• KC the user gets access tokens from keycloak after completing PKCE workflow (for example)
• Browser makes requests with said access token to nest API
• Nest app checks the JWT (wether its signed by keycloak, and wether is issuer is the right keycloak server + realm)

1. thats right
2. thats also right
3. Can nest app verify the token? Isn't KC the owner of the private key to validate access tokens?
   I know that I can check the payload as you described but isn't KC required for its signature validation?

Not necessarly, the JWTs are signed with a cryptographic key pair, all your app has to do is get that keypair when it starts, and compare the incoming jwts with it
this makes sure that the jwts come from your keycloak and not another

you end up with something like this:

const token = this.extractTokenFromHeader(request);
if (!token) {
  throw new UnauthorizedException();
}
try {
  const publicKey = await this.authService.fetchPublicKey();
  const payload = await this.jwtService.verifyAsync(token, {
    publicKey: publicKey,
    issuer: this.issuerUri,
    algorithms: ['RS256'],
  });

  request['user'] = payload;
} catch (error) {
  this.logger.error(`Failed to verify token ${error.stack}`);
  throw new UnauthorizedException();
}

For the issuerUri:

this.issuerUri = configService.get('OIDC_ISSUER');

and how I get the public key from my keycloak instance:

https://auth-season-link.ve.moreiradj.net/realms/season-link/protocol/openid-connect/certs

So the app makes a get request there, gets the public key and it can recognise jwts from your keycloak

ohhh, so nest app only needs public key generated by KC client and it should be a sort of private key for the backend to verify tokens?

Nope, your nest app doesn't have anything secret, it just get the public key from keycloak, who has the private key

Your nest app then makes sure that that the jwt was issued by keycloak with the public key it got from keycloak and the iss field in the jwt

you can think of it the same was as ssh private / public keys

Fair enough, thank you for you knowledge. I really appreciate it 🙂 btw. I took a quick look at the lib you sent for the react and it looks promising.

However, there is one more thing that puzzles me, maybe you will know the answers 😄
Lets say that I have a native app that is requesting my authorization server for the authorization code with the PKCE openid-connect/auth.

1. This code is returned back to the app and the app is requesting again with that code for the tokens? openid-connect/token or both requests are done in "one browser session" for which the app receives the tokens?
2. If you know: Is it possible to replace KC signin template with my own (If so; is it done on the KC side or I need to implement my own signin website and handle it somehow)?
   I have seen that you can extend the themes but maybe there are other ways to handle it (just curious).

Hi,
for understanding how Authentication works in Nestjs I came across this youtube video a while ago https://www.youtube.com/watch?v=GHTA143_b-s&t=2951s&ab_channel=freeCodeCamp.org it`s a tutorial where the guy create some ressources and add authentication to the application, he uses JWT strategy in that case but it gives you a perfect explanation of the workflow in authentication.
Using libraries that handle all the logic of authentication like firebase does for example is cool but implementing your own with just the help of passport is also a good way to understand the process of auth

hi!
I even briefly watched this video before 😄
Thanks. I was actually looking for some general explanations and possibility of setting up self hosted auth service. Getting to know with KC causes me to search for many things, which again means that I understand the process better and better. For now I'll stick to learning about it

fair enough good luck !

Thanks 😄 I even managed to implement pseudo-authentication, but things started to get complicated when I implemented refresh token rotation and invalidation. However I wasnt aware of authentication using authorization code and the entire OAuth/OIDC procedure.
I would say it is good to implement on your own and play with ready-made solutions such as KC to understand it better