To add user authentication and authorization to a Lowdefy app, you need to do the following:
- Configure an OpenID Connect provider
- Configure which pages should be public and protected (only available to logged in users).
- Add the
LoginandLogoutactions to your app, to allow users to log in and out.
Optionally, you can also:
- Use role based authorization to make certain pages available only to users with the correct roles.
An example app implementing OpenID Connect can be found here.
Lowdefy uses stateful JSON Web Tokens for user authentication, since the Lowdefy server is stateless and does not maintain a database of user sessions. This means that once a token is issued, it is valid until the token expires. Any changes to the user's access will only reflect after the token has expired, and the user obtains (or fails to obtain) a new token from the OpenID Connect provider. We recommend making sure tokens have a relatively short expiry time (the default is 4 hours), and evaluating if the security provided by this system is appropriate for your use case.
Most authorization and authentication settings are configured in the config.auth object in the Lowdefy configuration. The following config can be set:
lowdefy: 3.23.3
config:
auth:
openId:
# The url the user should be redirected to after logout.
logoutRedirectUri: [string]
# Field in the user idToken that contains the roles array.
rolesField: [string]
# The OpenID Connect scope to request. The default is 'openid profile email'.
scope: [string]
jwt:
# The length of time a user token should be valid.
expiresIn: [string | number]
pages:
# Either set all pages as protected, or list specific protected pages.
protected: [boolean | string[]]
# Either set all pages as public, or list specific public pages.
public: [boolean | string[]]
roles:
# Restrict pages to only users with a certain role.
{roleName}: string[]