Right now, the logout link signs the user out of this application, but does not also sign them out of login.gov. There are situations where this is desirable, however there are also situations where it would be desirable to also sign the user out of login.gov. For demonstration purposes, this application should present the user with an option to do either.

See: https://developers.login.gov/openid-connect/#logout-request for information about making the logout request:

https://idp.int.login.gov/openid_connect/logout?
  id_token_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiMmQyZDExNS0xZDdlLTQ1NzktYjlkNi1mOGU4NGY0ZjU2Y2EiLCJpc3MiOiJodHRwczovL2lkcC5pbnQubG9naW4uZ292IiwiYWNyIjoiaHR0cDovL2lkbWFuYWdlbWVudC5nb3YvbnMvYXNzdXJhbmNlL2xvYS8xIiwibm9uY2UiOiJhYWQwYWE5NjljMTU2YjJkZmE2ODVmODg1ZmFjNzA4MyIsImF1ZCI6InVybjpnb3Y6Z3NhOm9wZW5pZGNvbm5lY3Q6ZGV2ZWxvcG1lbnQiLCJqdGkiOiJqQzdOblU4ZE5OVjVsaXNRQm0xanRBIiwiYXRfaGFzaCI6InRsTmJpcXIxTHIyWWNOUkdqendsSWciLCJjX2hhc2giOiJoWGpxN2tPcnRRS196YV82dE9OeGN3IiwiZXhwIjoxNDg5Njk0MTk2LCJpYXQiOjE0ODk2OTQxOTgsIm5iZiI6MTQ4OTY5NDE5OH0.pVbPF-2LJSG1fE9thn27PwmDlNdlc3mEm7fFxb8ZADdRvYmDMnDPuZ3TGHl0ttK78H8NH7rBpH85LZzRNtCcWjS7QcycXHMn00Cuq_Bpbn7NRdf3ktxkBrpqyzIArLezVJJVXn2EeykXMvzlO-fJ7CaDUaJMqkDhKOK6caRYePBLbZJFl0Ri25bqXugguAYTyX9HACaxMNFtQOwmUCVVr6WYL1AMV5WmaswZtdE8POxYdhzwj777rkgSg555GoBDZy3MetapbT0csSWqVJ13skWTXBRrOiQQ70wzHAu_3ktBDXNoLx4kG1fr1BiMEbHjKsHs14X8LCBcIMdt49hIZg&
  post_logout_redirect_uri=${REDIRECT_URI}&
  state=abcdefghijklmnopabcdefghijklmnop

Add a CONTRIBUTING.md file, with adapted content from the 18F default.

It might be helpful to deploy this app to a production environment.

Similar to other example login.gov client applications, there is an opportunity to deploy it to a login.gov sub-domain, for inclusion in the identity-dashboard and for more realistic client demonstration purposes.

Also, preparing the app to be deployed to production might prove useful for developers looking to adapt this app in the future, decreasing the effort required on their part.

If deploying to production, some considerations include session security and server logging. And identity-idp will need to be re-configured to recognize the new environment. And devops will probably need to help set up the subdomain.

Express Secure Sessions Reference:

• https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely
• https://github.com/18F/fs-permit-platform/blob/27f171f4cd7ec1e0a75e4c3dcf2692768aaf8ffb/server/src/app.es6#L37-L48
• https://github.com/expressjs/cookie-session

As described in the README, there is an issue with the way the openid-client package interacts with a locally-running identity-idp instance.

Error:

{ RequestError: connect ECONNREFUSED 127.0.0.1:3000
    at ClientRequest.req.once.err (/Users/username/projects/my-identity-sp/node_modules/openid-client/node_modules/got/index.js:219:22)
    at Object.onceWrapper (events.js:315:30)
    at emitOne (events.js:121:20)
    at ClientRequest.emit (events.js:211:7)
    at Socket.socketErrorListener (_http_client.js:387:9)
    at emitOne (events.js:116:13)
    at Socket.emit (events.js:211:7)
    at emitErrorNT (internal/streams/destroy.js:64:8)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickCallback (internal/process/next_tick.js:180:9)
  name: 'RequestError',
  code: 'ECONNREFUSED',
  host: 'localhost:3000',
  hostname: 'localhost',
  method: 'GET',
  path: '/.well-known/openid-configuration',
  protocol: 'http:',
  url: 'http://localhost:3000/.well-known/openid-configuration' }

Right now there are certain workarounds for the issue (namely, running identity-idp with rails s -b 0.0.0.0 instead of make run), but this encumbers the full functionality of identity-idp, requiring additional work-arounds for the account creation process and the LOA3 setup process.

I have filed an issue with the openid-client package in hopes of learning more about how to resolve the issue.

After authentication, when the URL comes back to localhost, I see the following error in the browser:

id_token issued in the future
AssertionError [ERR_ASSERTION]: id_token issued in the future
at Client.validateIdToken (D:\Work\login\node_modules\openid-client\lib\client.js:469:7)
at grant.then.then.tokenset (D:\Work\login\node_modules\openid-client\lib\client.js:333:32)
at process._tickCallback (internal/process/next_tick.js:68:7)

I am using the Sandbox Environment to test this. Please help me as to what can be done to fix this.

The following scenarios should be tested (maybe):

Login Test

1. Unauthenticated user visits home page, and clicks "Login with LOA1".
2. Expect to be redirected to a localhost login.gov URL - will probably need to be mocked/faked to avoid having to run the identity-idp server locally (so that begs the question of how valuable this test would be in general)
3. User clicks "Sign In" then "Next" then "Submit"
4. Expect to be redirected to the /profile page.

Passport Authentication Test

1. Unauthenticated user visits profile page.
2. Expect to be redirected back to the home page.

Remove the fork relationship between this repo and the personal repo.

Change License to Public Domain: https://github.com/18F/open-source-policy

@s2t2 Hi Mike I was interested in knowing if there is any way to integrate Login.gov with a react or angular apps something similar to Google Login as I was looking at the documentation but can't find anything related.

When following the setup instructions I receive:

Redirect uri redirect_uri does not match registered redirect_uri

Unable to test authentication.

As described in the README, this application should allow the user to additionally/alternatively authenticate against the integration server (https://idp.int.login.gov/).

The application should check the value of an environment variable called LOGIN_GOV_DISCOVERY_URL and use that value during discovery.

Right now this application's credentials are waiting to be merged and deployed to the integration server, but it should be possible to develop this feature in the meantime using the example Sinatra application's credentials.