We’ve refactored the authentication component to be more extensible and easier to use.

Now you can secure your endpoints with both passport-based and LoopBack native authentication strategies that implement the interface AuthenticationStrategy.

The new design greatly simplifies the effort of application developers and extension developers since they now only need to focus on binding strategies to the application without having to understand/modify the strategy resolver or the action provider.

The core of the authentication component is available in @loopback/authentication version 2.x, and the passport-based capabilities are now available in @loopback/authentication-passport.

Here is a high level overview of the authentication component.

authentication_overview_highlevel

  • A decorator to express an authentication requirement on controller methods
  • A provider to access method-level authentication metadata
  • An action in the REST sequence to enforce authentication
  • An extension point to discover all authentication strategies and handle the delegation

Detailed documentation about the design and usage of @loopback/authentication@2.x can be found here.

As an application developer, you only need 3 steps to secure your endpoints:

  • Decorate the endpoints of a controller with the @authenticate(strategyName, options?) decorator
  • Insert the authentication action in a custom sequence
  • Register the authentication strategy

As an extension developer, you can contribute a LoopBack native authentication strategy by following the steps in Creating a Custom Authentication Strategy, or a passport-based authentication strategy by following the steps in Wrapping a Passport-based Strategy with the Passport Strategy Adapter.

A tutorial and reference implementation on how to add JWT authentication to a LoopBack 4 application using @loopback/authentication@2.x can be found here. It involves an updated version of the example shopping cart application.

Looking for User References

As you might be aware, our loopback.io web site has a brand new look. We’re rebuilding the "Who's using LoopBack" section to showcase our users and the use cases. If you would like to be a part of it, see the details in this GitHub issue.

Call to Action

LoopBack’s future success depends on you. We appreciate your continuous support and engagement to make LoopBack even better and meaningful for your API creation experience. Please join us and help the project by: