This project is focused on providing web client support for the OpenTDF platform. This includes encrypting and decrypting TDF content, and some management tasks for ABAC.
import { AuthProviders, NanoTDFClient } from '@opentdf/sdk';
// Configuration Options
const kasEndpoint = "http://localhost:65432/kas";
// Authentication options (vary by middleware)
const oidcOrigin = "http://localhost:65432/auth/realms/opentdf";
const clientId = "applicationNameFromIdP";
const refreshToken = "refreshTokenValueFromIdP";
// AuthProviders are middlewares that add `Authorization` or other bearer tokens to requests.
// These include The `refresh` provider can be handed a refresh and optional access token.
const authProvider = await AuthProviders.refreshAuthProvider({
clientId,
exchange: 'refresh',
refreshToken,
oidcOrigin,
});
const client = new NanoTDFClient({
authProvider,
kasEndpoint,
});
client.dataAttributes = ["http://opentdf.io/attr/class/value/secret"]
const cipherText = await client.encrypt(plainText);
const clearText = await client.decrypt(cipherText);
For long running server-side apps, a client id + secret is allowed with OAuth2. This should not be used in a browser, but within a Deno or Node process.
import { AuthProviders } from '@opentdf/sdk';
// Authentication options (vary by middleware)
const oidcOrigin = "http://localhost:65432/auth/realms/opentdf";
const clientId = "username";
const clientSecret = "IdP_GENERATED_SECRET";
const authProvider = await AuthProviders.clientSecretAuthProvider({
clientId,
clientSecret,
oidcOrigin,
exchange: 'client',
});
The refreshAuthProvider
and externalAuthProvder
allow the application developer to use existing tokens.
import { AuthProviders, NanoTDFClient } from '@opentdf/sdk';
const oidcCredentials: RefreshTokenCredentials = {
clientId: keycloakClientId,
exchange: 'refresh',
refreshToken: refreshToken,
oidcOrigin: keycloakUrlWithRealm,
}
A more complete example of using an OIDC compatible provider
with support for authorization code flow with PKCE and DPoP
is available in the sample web-app
folder
make
Developing with this code requires a recent version of npm
and node
.
We develop using nvm,
which allows us to pin to the same version of npm
easily.
- Install nvm
- see https://github.com/nvm-sh/nvm#installing-and-updating
nvm use
will installnpm
andnode
To check out, build, and validate your installation, and test the sample web application, you may:
nvm use
make test
make start
Version 2 of this library adds support for ABAC management tasks. This is provided with the opentdf Platform.
scripts/platform.sh
This will clone the platform repo and generate Typescript code in lib/src/platform
.
import { GetAttributeRequest } from './lib/src/platform/policy/attributes/attributes_pb';
import { Attribute, AttributeRuleTypeEnum } from './lib/src/platform/policy/objects_pb';
import {
createConnectTransport,
} from '@connectrpc/connect-web'
import {
createPromiseClient,
} from '@connectrpc/connect'
const attrData = {
name: "my-attr",
rule: AttributeRuleTypeEnum.ALL_OF,
namespace: {name: 'my-namespace'},
values: [{value: 'my-value'}],
active: true,
extraField: 'this will be ignored' // only proto defined fields and value types are respected
}
const attr = new Attribute(attrData);
console.log(attr.toJson());
// {
// namespace: { name: 'my-namespace' },
// name: 'my-attr',
// rule: 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF',
// values: [ { value: 'my-value' } ],
// active: true
// }
const req = new GetAttributeRequest({id: 'uuid-here'});
const client = createPromiseClient(
AttributesService,
createConnectTransport({
baseUrl: 'localhost:8080',
})
)
This is an example to instantiate an Attribute
and create a GetAttributeRequest
.