Merge pull request #746 from firebase/okta-sample

Okta authentication sample

Author: kevinthecheung

README.md

@@ -172,7 +172,7 @@ Only users who pass a valid Firebase ID token as a Bearer token in the `Authoriz
 Checking the ID token is done with an ExpressJs middleware that also passes the decoded ID token in the Express request object.
 Uses an HTTP trigger.
 
-### Authorize with [LinkedIn](/linkedin-auth), [Spotify](spotify-auth), [Instagram](/instagram-auth), [LINE](/line-auth) or [Basic Auth](/username-password-auth)
+### Authorize with [Okta](/okta-auth), [LinkedIn](/linkedin-auth), [Spotify](spotify-auth), [Instagram](/instagram-auth), [LINE](/line-auth) or [Basic Auth](/username-password-auth)
 
 Demonstrates how to authorize with a 3rd party sign-in mechanism, create a Firebase custom auth token, update the user's profile and authorize Firebase.
 Uses an HTTP trigger.

okta-auth/.gitignore

@@ -0,0 +1,5 @@
+service_account_private_key.json
+.runtimeconfig.json
+ui-debug.log
+public/okta-config.js
+functions/.env

okta-auth/README.md

@@ -0,0 +1,130 @@
+# Authenticate with Firebase using Okta
+
+Sample app that demonstrates how to authenticate with Firebase using Okta.
+
+## Overview
+
+This sample has two parts:
+
+- A Node.js backend that “exchanges” Okta access tokens for Firebase custom
+  authentication tokens. The backend is intended to be deployed as a Cloud
+  Function, but because its just an Express.js app, you can also run on it on
+  your own infrastructure.
+- A web frontend that signs users in with Okta, gets a Firebase custom
+  authentication token from your backend, and authenticates with Firebase using
+  the custom token.
+
+## Setup
+
+Before you try the demo with the Firebase emulator suite or deploy it to
+Firebase Hosting and Cloud Functions, set up your Okta and Firebase projects,
+and install the Firebase CLI tool:
+
+1.  On the [Okta Developer site](https://developer.okta.com/):
+
+    1.  Sign in or sign up.
+    2.  Take note of your **Org URL** (top-right of the dashboard) for later.
+    3.  Create a user with a password in your Okta project. (This demo doesn't
+        have a sign-up flow.)
+    4.  On the Applications page, add a Single-Page App:
+        1.  Set the **Base URIs** to `http://localhost:5000`.
+        2.  Set the **Login redirect URIs**  to `http://localhost:5000`.
+        3.  Enable the **Authorization Code** grant type.
+        4.  Click **Done**. Take note of the app's **Client ID** for later.
+    5.  In **API > Trusted Origins**, confirm that `http://localhost:5000` is
+        listed, with **CORS** and **Redirect** enabled.
+
+2.  In the [Firebase console](https://console.firebase.google.com/):
+
+    1. Create a new Firebase project. Take note of your **project ID** for
+       later.
+    2. On the Project Overview page, add a new web app. Be sure **Also set up
+       Firebase Hosting for this app** is selected.
+    3. If you plan to try the demo in the emulator, [generate and download a
+       service account key][svcacct].
+
+3.  If you don't already have a Node.js 10 (or newer) environment,
+    [install Node.js](https://nodejs.org/).
+
+4.  If you haven't already installed the Firebase CLI tool, do it now:
+
+    ```
+    $ npm install --global firebase-tools
+    ```
+
+[svcacct]: https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk
+
+## Try the demo with the Firebase emulator suite
+
+1.  Make sure the Firebase CLI tool is set to use your Firebase project:
+
+    ```
+    $ cd functions-samples/okta-auth
+    okta-auth$ firebase login
+    okta-auth$ firebase use <YOUR_FIREBASE_PROJECT_ID>
+    ```
+
+2.  Run `setup.js` from the Firebase project directory:
+
+    ```
+    okta-auth$ node setup.js
+    ```
+
+    The script will prompt you for some of your Okta and Firebase configuration
+    values and create configurations files from them. The script won't
+    overwrite existing files.
+
+3.  Start the emulators:
+
+    ```
+    okta-auth$ firebase emulators:start
+    ```
+
+4.  Open the web app: [`http://localhost:5000`](http://localhost:5000).
+
+## Deploy the demo to Firebase Hosting and Cloud Functions
+
+1.  [Upgrade your Firebase project to the Blaze (pay as you go) plan](https://console.firebase.google.com/project/_/overview?purchaseBillingPlan=metered).
+    The Blaze plan is required to access external services (Okta) from Cloud
+    Functions.
+
+2.  In the Google Cloud console:
+
+    1.  [Enable the IAM Service Account Credentials API](https://console.cloud.google.com/apis/api/iamcredentials.googleapis.com/overview?project=_).
+    2.  On the [IAM](https://console.developers.google.com/iam-admin/iam?project=_)
+        page, edit the account named **App Engine default service account** and
+        add the **Service Account Token Creator** role.
+
+3.  Make sure the Firebase CLI tool is set to use your Firebase project:
+
+    ```
+    $ cd functions-samples/okta-auth
+    okta-auth$ firebase login
+    okta-auth$ firebase use <YOUR_FIREBASE_PROJECT_ID>
+    ```
+
+4.  Optional: If you have configuration files from local testing, delete them:
+
+    ```
+    okta-auth$ rm public/okta-config.js ; rm functions/.env ; rm .runtimeconfig.json
+    ```
+
+5.  Run `setup.js -d` from the Firebase project directory. The `-d` flag
+    configures the web app and backend for deployment.
+
+    ```
+    okta-auth$ node setup.js -d
+    ```
+
+    The script will prompt you for some of your Okta and Firebase configuration
+    values, create configurations files from them, and set some Cloud Funcions
+    environment settings. The script won't overwrite existing files or Cloud
+    Functions environment settings.
+
+6.  Deploy the project:
+
+    ```
+    okta-auth$ firebase deploy
+    ```
+
+7.  Open the web app at: `https://<YOUR_FIREBASE_PROJECT_ID>.web.app`

okta-auth/firebase.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "predeploy": [
+      "npm --prefix \"$RESOURCE_DIR\" run lint",
+      "node setup.js -d"
+    ]
+  },
+  "hosting": {
+    "public": "public",
+    "ignore": [
+      "firebase.json",
+      "**/.*",
+      "**/node_modules/**"
+    ],
+    "predeploy": [
+      "node setup.js -d"
+    ]
+  }
+}

okta-auth/functions/.eslintrc.json

@@ -0,0 +1,123 @@
+{
+  "parserOptions": {
+    // Required for certain syntax usages
+    "ecmaVersion": 2017
+  },
+  "plugins": [
+    "promise"
+  ],
+  "extends": "eslint:recommended",
+  "rules": {
+    // Removed rule "disallow the use of console" from recommended eslint rules
+    "no-console": "off",
+
+    // Removed rule "disallow multiple spaces in regular expressions" from recommended eslint rules
+    "no-regex-spaces": "off",
+
+    // Removed rule "disallow the use of debugger" from recommended eslint rules
+    "no-debugger": "off",
+
+    // Removed rule "disallow unused variables" from recommended eslint rules
+    "no-unused-vars": "off",
+
+    // Removed rule "disallow mixed spaces and tabs for indentation" from recommended eslint rules
+    "no-mixed-spaces-and-tabs": "off",
+
+    // Removed rule "disallow the use of undeclared variables unless mentioned in /*global */ comments" from recommended eslint rules
+    "no-undef": "off",
+
+    // Warn against template literal placeholder syntax in regular strings
+    "no-template-curly-in-string": 1,
+
+    // Warn if return statements do not either always or never specify values
+    "consistent-return": 1,
+
+    // Warn if no return statements in callbacks of array methods
+    "array-callback-return": 1,
+
+    // Require the use of === and !==
+    "eqeqeq": 2,
+
+    // Disallow the use of alert, confirm, and prompt
+    "no-alert": 2,
+
+    // Disallow the use of arguments.caller or arguments.callee
+    "no-caller": 2,
+
+    // Disallow null comparisons without type-checking operators
+    "no-eq-null": 2,
+
+    // Disallow the use of eval()
+    "no-eval": 2,
+
+    // Warn against extending native types
+    "no-extend-native": 1,
+
+    // Warn against unnecessary calls to .bind()
+    "no-extra-bind": 1,
+
+    // Warn against unnecessary labels    
+    "no-extra-label": 1,
+
+    // Disallow leading or trailing decimal points in numeric literals
+    "no-floating-decimal": 2,
+
+    // Warn against shorthand type conversions
+    "no-implicit-coercion": 1,
+
+    // Warn against function declarations and expressions inside loop statements
+    "no-loop-func": 1,
+
+    // Disallow new operators with the Function object
+    "no-new-func": 2,
+
+    // Warn against new operators with the String, Number, and Boolean objects
+    "no-new-wrappers": 1,
+
+    // Disallow throwing literals as exceptions
+    "no-throw-literal": 2,
+
+    // Require using Error objects as Promise rejection reasons
+    "prefer-promise-reject-errors": 2,
+
+    // Enforce “for” loop update clause moving the counter in the right direction
+    "for-direction": 2,
+
+    // Enforce return statements in getters
+    "getter-return": 2,
+
+    // Disallow await inside of loops
+    "no-await-in-loop": 2,
+
+    // Disallow comparing against -0
+    "no-compare-neg-zero": 2,
+
+    // Warn against catch clause parameters from shadowing variables in the outer scope
+    "no-catch-shadow": 1,
+
+    // Disallow identifiers from shadowing restricted names
+    "no-shadow-restricted-names": 2,
+
+    // Enforce return statements in callbacks of array methods
+    "callback-return": 2,
+
+    // Require error handling in callbacks
+    "handle-callback-err": 2,
+
+    // Warn against string concatenation with __dirname and __filename
+    "no-path-concat": 1,
+
+    // Prefer using arrow functions for callbacks
+    "prefer-arrow-callback": 1,
+
+    // Return inside each then() to create readable and reusable Promise chains.
+    // Forces developers to return console logs and http calls in promises. 
+    "promise/always-return": 2,
+
+    //Enforces the use of catch() on un-returned promises
+    "promise/catch-or-return": 2,
+
+    // Warn against nested then() or catch() statements
+    "promise/no-nesting": 1
+  }
+}

okta-auth/functions/index.js

@@ -0,0 +1,74 @@
+/**
+ * Implements the `/api/firebaseCustomToken` endpoint, which is responsible for
+ * validating Okta access tokens and minting Firebase custom authentication
+ * tokens.
+ */
+const express = require('express');
+const app = express();
+
+// For local testing, use GOOGLE_APPLICATION_CREDENTIALS from `.env` instead of
+// the value set by the emulator. Generate a .`env` file with `setup.js`, or
+// create it manually.
+const envCfg = require('dotenv').config();
+if (envCfg.parsed && envCfg.parsed.GOOGLE_APPLICATION_CREDENTIALS) {
+    process.env.GOOGLE_APPLICATION_CREDENTIALS =
+            envCfg.parsed.GOOGLE_APPLICATION_CREDENTIALS;
+}
+
+const functions = require('firebase-functions');
+const firebaseAdmin = require('firebase-admin');
+const firebaseApp = firebaseAdmin.initializeApp();
+
+const OKTA_ORG_URL = functions.config().okta_auth.org_url
+const OktaJwtVerifier = require('@okta/jwt-verifier');
+const oktaJwtVerifier = new OktaJwtVerifier({
+    issuer: `${OKTA_ORG_URL}/oauth2/default`
+});
+
+// Update CORS_ORIGIN to the base URL of your web client before deploying or
+// using a non-standard emulator configuration.
+const CORS_ORIGIN = functions.config().okta_auth.cors_origin ||
+                    'http://localhost:5000';
+const cors = require('cors')({ origin: CORS_ORIGIN });
+
+// Middleware to authenticate requests with an Okta access token.
+// https://developer.okta.com/docs/guides/protect-your-api/nodeexpress/require-authentication/
+const oktaAuth = async (req, res, next) => {
+    const authHeader = req.headers.authorization || '';
+    const match = authHeader.match(/Bearer (.+)/);
+  
+    if (!match) {
+        res.status(401);
+        return next('Unauthorized');
+    }
+  
+    const accessToken = match[1];
+    try {
+        const jwt = await oktaJwtVerifier.verifyAccessToken(
+                accessToken, 'api://default');
+        req.jwt = jwt;
+        return next();
+    } catch (err) {
+        console.log(err.message);
+        res.status(401);
+        return next('Unauthorized');
+    }
+}
+
+// Get a Firebase custom auth token for the authenticated Okta user.
+app.get('/firebaseCustomToken', [cors, oktaAuth], async (req, res) => {
+    const oktaUid = req.jwt.claims.uid;
+    try {
+        const firebaseToken =
+                await firebaseApp.auth().createCustomToken(oktaUid);
+        res.send(firebaseToken);
+    } catch (err) {
+        console.log(err.message);
+        res.status(500).send('Error minting token.');
+    }
+});
+
+// Enable CORS pre-flight requests.
+app.options('/firebaseCustomToken', cors);
+
+exports.api = functions.https.onRequest(app);

okta-auth/functions/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "firebase-okta-auth",
+  "description": "Example of authenticating with Firebase using Okta",
+  "scripts": {
+    "lint": "eslint .",
+    "serve": "firebase emulators:start --only functions",
+    "shell": "firebase functions:shell",
+    "start": "npm run shell",
+    "deploy": "firebase deploy --only functions",
+    "logs": "firebase functions:log"
+  },
+  "engines": {
+    "node": "10"
+  },
+  "dependencies": {
+    "@okta/jwt-verifier": "^1.0.0",
+    "@okta/oidc-middleware": "^4.0.1",
+    "cors": "^2.8.5",
+    "dotenv": "^8.2.0",
+    "express": "^4.17.1",
+    "firebase-admin": "^8.13.0",
+    "firebase-functions": "^3.6.1"
+  },
+  "devDependencies": {
+    "eslint": "^5.12.0",
+    "eslint-plugin-promise": "^4.0.1",
+    "firebase-functions-test": "^0.2.0"
+  },
+  "private": true
+}