Search…
Getting Started
Technical overview
Overview
Architectural Decision Records
API Design Guide
Island.is Authentication Service
Code Reviews
Code Standards
Devops
Feature Flags
Monorepo
Personas
Pósthólfið
Teamwork
Technical Direction
X-Road / Straumurinn
Repository
AWS Secrets
External Contributions
Generating a New Project
GitBook Contributions
OpenAPI
Auto Generated Schemas
Workspace Settings
Apps
Air Discount Scheme
API
Application System
Financial Aid System for Samband Sveitarfélaga
Judicial System
Reference Backend
Reference Next App
Service Portal
Services
Car Recycling - Skilavottorð
Web
Libs
API
API Catalogue
Application
Auth
Auth API Lib
Auth Nest Tools
Clients
CMS
CMS Translations
Content Search Index Manager
Content Search Indexer
Content Search Metrics
Content Search Toolkit
Contentful Extensions Overview
Dokobit Signing
Email Service
Feature Flags
Health Insurance
Island UI
Localization
Message Queue
Nest Modules
Next Ids Auth Lib
NOVA SMS
Plausible
React Libraries
Regulations
Residence History
Service Portal
Shared
Testing
User Monitoring
Reference
Problems
Misc
Guide: Adding a Payment Step to an Application
Guide: Enable Organisations to Make Requests to an Application
GitBook Template
Glossary
Powered By GitBook
Auth Nest Tools
This library contains a reusable module (AuthModule) with guards that can be used to protect other REST controllers and GraphQL resolvers.

Using guards

There are a couple of guards available.
  • IdsUserGuard: validates that the request has a valid JWT bearer authorization from our identity server and checks that it has a nationalId claim, representing an authenticated user. Information from the JWT can be accessed using the CurrentAuth and CurrentUser parameter decorators.
  • IdsAuthGuard: same as IdsUserGuard but does not verify the nationalId claim. Information from the JWT can be accessed using the CurrentAuth parameter decorator.
  • ScopesGuard: checks if the access token has required scopes. These can be configured using the Scopes decorator.
You should generally add IdsUserGuard and ScopesGuard to endpoints that return user resources for the authenticated user. You can use IdsAuthGuard for endpoints that need to be available for clients authenticating with client credentials.

Configuration

Import and configure the AuthModule, example:
@Module({
imports: [
AuthModule.register({
audience: 'protected_resource',
issuer: 'https://localhost:6001',
}),
where audience is the name your resource was registered under in IdS and issuer the IdS url.

Using in REST controller

Decorate the controller with @UseGuards:
@UseGuards(IdsUserGuard, ScopesGuard)
@Controller('clients')
export class ClientsController {
and individual protected methods with @Scopes:
@Scopes('protected_resource/read', 'protected_resource/admin')
@Get(':id')
@ApiOkResponse({ type: Client })
async findOne(@Param('id') id: string): Promise<Client> {
// ...
}
If no @Scopes are applied to a method, then no access control is enforced for that method.
Information about the logged in user can be obtained by adding @CurrentUser() user: User as an input parameter to the controller method.

Using in GraphQL resolver

Decorate the resolver with @UseGuards:
@UseGuards(IdsUserGuard, ScopesGuard)
@Resolver()
export class UserProfileResolver {
and individual protected methods with @Scopes:
@Scopes('userProfileScope')
@Query(() => UserProfile, { nullable: true })
async getUserProfile(@CurrentUser user: User) {
// ... user.nationalId
}
If no @Scopes are applied to a method, then no access control is enforced for that method.
Information about the logged in user can be obtained by adding @CurrentUser() user: User as an input parameter to the resolver method.

Opting out of auth

If a small subsection of your controller or app has public endpoints you can explicitly opt out of auth for those sections.
Decorate the resolver or controller with @BypassAuth:
@BypassAuth()
@Controller('clients')
export class ClientsController {
Previous
Migrating Data in the IDS
Next - Libs
Clients
Last modified 1yr ago
Copy link
On this page
Using guards
Configuration
Using in REST controller
Using in GraphQL resolver
Opting out of auth