Protecting resources on Node.js servers

You can protect your resources that are running on Node.js servers with OAuth-based IBM MobileFirst™ Platform Foundation security.


The passport-mfp-token-validation npm module provides a passport validation strategy and a verification function to validate access tokens and ID tokens that are issued by the MobileFirst server.

passport.use (new mfpStrategy(options));

The options parameter contains one or more of the following options:
  • publicKeyServerUrl: (Mandatory) Specifies the URL of the MobileFirst Server from which the public key will be retrieved to verify the tokens.
    Note: Alternatively, you can pass the public key server URL as a parameter to the passport.authenticate method. This method is used in the Example.)
  • scope: Space-separated string to define the list of realm names that are required for accessing the resource. If no scope is specified, only the mandatory scope will be checked in the token.
    Note: Alternatively, you can pass the scope as a parameter to the passport.authenticate method. (See Example.)
  • cacheSize: The maximum number of tokens allowed. The default value is 500.
  • logger: Defines a logger instance. The default value is the IBM® default logger, which outputs log messages to the console.
  • analytics.onpremise:
    • url: The url that specifies the location of the operational analytics server. For example, http://localhost:10080/worklight-analytics-service/data.
    • username: The username if credentials are required.
    • password: The password if credentials are required.

For more information on npm passports, see Passport Readme. For more information about the passport.authenticate method, see Authenticate.


The following example shows how to use mfpStrategy in a node application:
var express = require('express'),
    passport = require('passport-mfp-token-validation').Passport,
    mfpStrategy = require('passport-mfp-token-validation').Strategy;
    //the configuration ('config') is optional if you wish to report
    //events to the Analytics Server.
    var config = {
    		url : 'http://localhost:10080/worklight-analytics-service/data'
    		username : 'admin',
    		password : 'admin'

    passport.use(new mfpStrategy({publicKeyServerUrl:'http://localhost:10080/WLProject',
    analytics : {onpremise: config}}));

    var app = express();

    // protect api with MFP strategy using scope Realm1 Realm2 Realm3 
    		app.get('/v1/apps/:appid/service', passport.authenticate('mobilefirst-strategy',
           {session: false , scope: 'Realm1 Realm2 Realm3' }),
        function(req, res){
               res.send(200, req.securityContext);

To start the example, issue the following commands:
  $ npm install express
  $ npm install passport
  $ npm install passport-mfp-token-validation

Token verification

The passport-mfp-token-validation module verifies the authorization header of the request. The authorization header consists of the following elements:
Bearer Access_token ID_token


(Mandatory) Is the required string for the token type, as defined in the OAuth 2.0 specification.
(Mandatory) Encapsulates all of the security checks that the client has passed in the authorization phase.
(Optional) Contains information about the user and device identity of the client.

Bearer and Access_token are mandatory. ID_token is optional. The passport-mfp-token-validation module will verify the token with the public key that is retrieved from the authorization server. If the token is verified successfully, the securityContext and user objects will be attached to the request object.

After a successful validation, a security context object is added to the current request.
The securityContext object contains the following fields:
  • imf.sub: The sub value of the ID token or the unique ID of the client if there is no ID token.
  • imf.user: The user value that is extracted from the ID token. If there is no ID token, this field holds a blank object.
  • imf.device: The device value that is extracted from the ID token. If there is no ID token, this field holds a blank object.
  • imf.application: The application value that is extracted from the ID token. If there is no ID token, this field holds a blank object.
The user object in the request is returned by the passport framework. Its value is the same as the value of imf.user in the securityContext object.