Add-in Single Sign-on with a Node.js backend

Gary Chamberlain

I'm following the instructions at https://developer.blackbaud.com/skyapi/docs/addins/concepts/addin-sso and they seem pretty straight-forward. However, I got to the point where I need to validate the UIT.  The docs only give a C# example but we are using Node.

• Do I need to use a third-party openId client?
• Can someone point me to example code?

Gary Chamberlain

I've figured out how to do it myself and will list the steps here in case someone else is looking for this. 

1. Client
   1. Follow the Blackbaud's SSO instructions and get the Id Token by calling client.getUserIdentityToken()
   2. POST to your Node server and pass the token in a header
2. Node (Express app middleware)
   1. npm install jsonwebtoken --save
   2. Get the PEM cert
      1. await fetch('https://oauth2.sky.blackbaud.com/.well-known/openid-configuration')
      2. Read the jwks_uri value
      3. await fetch(jwks_uri)
      4. Read the JWK set  (array of keys)
      5. Parse the token header
         1. Split the token on a persiod
         2. Base64 decode the first element and JSON parse
         3. Extract the x5t and kid values
      6. Loop through each key and take the first one that matches either the x5t or kid
      7. Take the first element in the x5c as the cert
      8. Prepend '-----BEGIN CERTIFICATE-----' to the cert
      9. Append ''-----END CERTIFICATE-----" to the cert
   3. Build an options POJO with expected algorithms, audience and issuer values.
   4. Call jwt.verify(token, cert, options, function(err, decoded) { ... });
   5. In the callback, decoded is the payload.  Handle the error or call next()

Some links:

• https://www.npmjs.com/package/jsonwebtoken
• https://redthunder.blog/2017/06/08/jwts-jwks-kids-x5ts-oh-my/