Node.js is a JavaScript runtime for building server applications. Express is a web application framework for Node.js. The document discusses problems with traditional policy agents and proposes a new decentralized policy agent architecture called node-openam-agent. Node-openam-agent uses Express middleware to enforce authentication strategies from OpenAM and allows multiple agent instances to each use different authentication strategies on different routes. It aims to be more extensible, lightweight, and integrated with applications than traditional monolithic policy agents.

1. Rethinking the Policy Agent
Zoltan Tarcsay
@tarcsayzoltan zoltan.tarcsay@gmail.com

2. What is Node.js?
● Node.js is a JavaScript runtime built on the latest V8
● Headless → server apps
● Async, non-blocking model
○ Callbacks, events, promises
● Package system: npm
○ ~250k packages
○ left-pad-gate
○ Modular architecture

3. What is Express?
● Express is a minimalistic
web application framework for Node.js
● Routes and “middleware”
● http://bit.ly/1pvMLIJ
● Alternatives
○ Native Node.js
○ Koa (ES6)

4. Small Web Apps
● Standalone & Portable
○ Node.js web apps are standalone HTTP servers (no container)
○ The workaround is to use a proxy (e.g. Apache)
● Use “Middleware”
○ Analogous to servlet filters
● Lightweight
○ Little code, lots of features
● Versatile
○ They can serve different audiences (browser, client apps, CLI)
● Pluggable
○ You can plug one app into another

5. Problems with Today’s Policy Agents
● What is a policy agent...?
● Only work well with browsers:
○ they validate session IDs in request cookies
● Centralized
● Non-hackable
○ unfriendly API, platform dependent
● Limited pluggability, poor integration
○ e.g. header injection
○ no way to differentiate routes or even vhosts
● Monolithic
○ one instance per server

6. Imagine a New Kind of Policy Agent
● Supports different kinds of protection e.g. OAuth2
● Uses the latest and greatest OpenAM APIs
● Decentralized (think microservices)
● Friendly API for better code level control and less config
● Friendly SPI for extensibility
● Allows for rich and secure integration by sharing identity and decision
information with the application
● Can have many instances running in parallel
● Pluggable so that it’s only used where it’s needed

7. Node-openam-agent: Architecture
App
Agent
Shield
Auth Client Session Cache
Auth Server
OpenAM
Shield
Shield(s)
Request
Authorized
request
Response
Cache
Request handler
Request handler
Request handler(s)

8. Node-openam-agent: Architecture
App
Request Response
Request handler (GET /foo/bar)
Agent
Shield
Agent
Shield
Other Stuff

9. node-openam-agent: PolicyAgents and Shields
● A PolicyAgent is an authenticated OpenAM client
● A Shield is a protection strategy (e.g. SSO cookie or OAuth2 access_token)
● Built-in Shield implementations: CookieShield, PolicyShield, BasicAuthShield,
OAuth2Shield

10. node-openam-agent: Pluggability
● You can have more than one PolicyAgent instance
● Any Shield instance can be used by any PolicyAgent instance
● PolicyAgent.shield() creates an Express middleware function that
enforces the protection strategy

11. node-openam-agent: SPI
SPI
● OpenAMClient: talks to the OpenAM RESTful APIs
● Shield: executes and enforces a protection strategy
● Cache: stores and returns session data

12. Demo

13. Can node-openam-agent Do Everything?
● Supports various protection strategies (e.g. OAuth2)
● API: all features exposed; works with Promises
● SPI: easy to extend
● Closer to the app’s code
● Lightweight → embed in the app → run in Docker, Heroku, etc.
● Shares identity or decision information in the req.session object
● Supports multiple agent instances
● Each route can have its own shield(s)
● Notifications (legacy)
● CDSSO (legacy)

14. Questions

15. Resources
● https://nodejs.org/en/
● https://www.npmjs.com/
● http://expressjs.com/
● https://backstage.forgerock.com/#!/docs/openam
● https://github.com/zoltantarcsay/node-openam-agent
● https://github.com/zoltantarcsay/node-openam-agent-demo
● https://www.npmjs.com/package/openam-agent