Implementing Authorization in a NestJS API with AuthAction

AuthAction is a powerful authentication and authorization platform that offers a range of features, including support for single-page applications (SPA) and machine-to-machine (M2M) applications. It provides an easy-to-use interface for managing users, roles, and organizations, and supports OAuth2 and social logins. Best of all, AuthAction is scalable, allowing up to 50,000 monthly active users for free. Whether you're developing an app for a startup or a large enterprise, AuthAction provides a flexible and secure solution for your authentication needs.

In this blog, we'll explore how to authorize NestJS APIs using AuthAction.

Overview

This application showcases how to configure and handle authorization using AuthAction’s access token in a NestJS API. It uses JSON Web Tokens (JWT) for authentication and authorization.

Prerequisites

Before using this application, ensure you have:

1. Node.js and npm installed: You can download and install them from nodejs.org.

2. Authaction API credentials: You will need to have the tenantDomain, apiIdentifier from your Authaction account.

Installation

1. Clone the repository (if applicable):

   git clone git@github.com:authaction/authaction-nestjs-api-example.git
   cd authaction-nestjs-api-example

1. Install dependencies:

   npm install

1. Configure your Authaction credentials:

Edit the .env and replace the placeholders with your AuthAction configurations.

   AUTHACTION_DOMAIN=authaction-tenant-domain
   AUTHACTION_AUDIENCE=authaction-api-identifier

Usage

1. Start the development server:

   npm start

This will start the Nestjs application on http://localhost:3000.

1. Testing Authorization:

To obtain an access token via client credentials, run the following curl command:

 curl --request POST \
--url https://your-authaction-tenant-domain/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"your-authaction-app-clientid","client_secret":"your-authaction-app-client-secret","audience":"your-authaction-api-identifier","grant_type":"client_credentials"}'

Replace your-authaction-app-clientid, your-authaction-app-client-secret, and your-authaction-api-identifier with your actual AuthAction credentials.

You should receive an access token in response, which you can use to access protected routes.

You can call the public API without any authentication token. The GET /public endpoint can be accessed by any user or service but protected endpoint need to be called with access token.

curl --request GET \
  --url http://localhost:3000/protected \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  --header 'content-type: application/json'

{
  "message": "This is a protected message!"
}

Code Explanation

JWT Strategy (JwtStrategy)

• Overview:
  • This service integrates JWT (JSON Web Token) authentication into the NestJS application using the @nestjs/passport and passport-jwt libraries.
  • It uses RS256 encryption with a public key retrieved dynamically from a JWKS (JSON Web Key Set) endpoint hosted by AuthAction.

super() Configuration:

• secretOrKeyProvider:

  • Uses jwks-rsa to fetch and cache the public keys from the AuthAction domain.
  • Configures the JWKS URI dynamically based on the AUTHACTION_DOMAIN environment variable.
  • Caches the JWKS response for performance and limits the number of requests to prevent rate-limiting issues.

• jwtFromRequest:

  • Extracts the JWT token from the Authorization header using the Bearer schema (Authorization: Bearer <token>).

• issuer:

  • Specifies the expected JWT issuer (the AuthAction domain).
  • The value is dynamically derived from process.env.AUTHACTION_DOMAIN.

• audience:

  • Specifies the expected audience of the JWT, which helps ensure that the token is intended for the current application.
  • The audience value is taken from process.env.AUTHACTION_AUDIENCE.

• algorithms:

  • Enforces the use of the RS256 algorithm to validate the JWT signature.

validate(payload):

• This method validates the token and extracts the payload (claims).
• The payload contains user information such as the user ID and roles.
• Logging: It logs the payload for debugging purposes.

---

AppController (AppController)

getPublicMessage():

• This endpoint returns a public message that is accessible without any authentication.
• No guards are applied here, meaning any request can access it.

getProtectedMessage():

• This endpoint returns a protected message and requires the user to be authenticated.
• The @UseGuards(AuthGuard('jwt')) decorator ensures that only users with valid JWTs can access this route.
• The AuthGuard('jwt') uses the JwtStrategy to validate and authenticate incoming requests.

---

Common Issues

Invalid Token Errors:

• Ensure that the token being used is signed by AuthAction using the RS256 algorithm and contains the correct issuer and audience claims.
• Verify that the AUTHACTION_DOMAIN and AUTHACTION_AUDIENCE environment variables are correctly set.

Public Key Fetching Errors:

• If there are issues retrieving the public keys from AuthAction, check the JWKS URI and ensure your application can reach the AuthAction servers.

Unauthorized Access:

• If requests to the protected route (/protected) are failing, ensure that the JWT token is being correctly included in the Authorization header and that the token is valid.

Conclusion

Integrating authorization into a nestjs application using AuthAction is a straightforward process. This example helps streamline the setup, offering developers a robust foundation to build secure applications with minimal effort.

If you run into any issues, double-check your configurations to ensure everything is set up correctly. Happy coding!

Feel free to leave your thoughts and questions in the comments below!