Authentication in LoopBack Applications against Bluemix

The Node.js API framework LoopBack supports third-party logins to authenticate users and to link accounts. This article describes how to authenticate from LoopBack applications against the Single Sign On service in Bluemix so that you can leverage existing enterprise directories.

Get the code from GitHub.

The Single Sign On service supports different identity providers. For example enterprise customers typically use SAML. If customers don’t have an SAML identity provider, they can install an Identity Bridge on premises which externalizes the SAML protocol to an LDAP version 3 compliant directory. In the sample below I use a cloud directory with some test users, but the application code would be identical when using SAML.

LoopBack leverages passport to support third party logins via the loopback-component-passport module. The sample on GitHub shows how to authenticate against Facebook, Google and Twitter.

In order to authenticate against the Single Sign On service you need to use the passport-idaas-openidconnect module. The tricky part is to do the right configuration since the documentation is a little light. Here is the key part in the code. In order to read the credentials from the Bluemix context, the provider is not defined in a static property file but programmatically.

var options = {
  "provider": "ibm",
  "module": "passport-idaas-openidconnect",
  "strategy": "IDaaSOIDCStrategy",
  "clientID": ssoConfig.credentials.clientId,
  "clientSecret": ssoConfig.credentials.secret,
  "authorizationURL": ssoConfig.credentials.authorizationEndpointUrl,
  "tokenURL": ssoConfig.credentials.tokenEndpointUrl,
  "scope": "openid",
  "response_type": "code",
  "callbackURL": "/auth/ibm/callback",
  "skipUserProfile": true,
  "issuer": ssoConfig.credentials.issuerIdentifier,
  "authScheme": "openid connect",
  "authPath": "/auth/ibm",
  "session": true,
  "failureFlash": true
passportConfigurator.configureProvider("ibm", options);

After this you can log in as a user defined in the cloud directory. Check out the screenshots folder for more details.