Supporting machine-to-machine security

M2M security

Adding support for machine-to-machine security to our API takes just a few steps. We need to add a few modules to our project that contain the functionality to communicate with OAuth providers and evaluate JWTs. We also need to modify our own API service interface to look for and process JWTs when they appear. Finally, we need to import the OAuth authentication parameters we collected from the third-party provider.

Company-secure: For the example in this chapter, we’ve forked the existing company sample API service to one named company-secure. We’ll show excerpts from that example as we walk through the steps to secure a Node/Express API project.

Adding security modules to our Node.js project

First, let’s add the following security modules to our Node.js project. These provide support for JWTs and OAuth:

• jsonwebtokens: Node.js implementation of the JWT standard.
• jwks-rsa: RSA signing keys for JWTs.
• express-jwt: Express.js middleware for validating JWTs.
• express-jwt-authz: Express.js middleware for supporting OAuth.

The following is the online npm command for installing all four modules and updating our package.json file:

npm install -s jwks-rsa jsonwebtoken \
  express-jwt express-jwt-authz

This sets the foundation for implementing OAuth for our API service. The next step is to add supporting code to our project.