Api Key Exposure in Loopback with Openid Connect

Loopback is a widely used Node.js framework for building APIs quickly. When OpenID Connect (OIDC) is integrated, the framework typically relies on third-party authentication middleware to validate identity tokens and establish sessions. If API keys are used alongside OIDC for service-to-service authorization, and those keys are embedded in client-side code, stored in insecure locations, or transmitted over non-TLS channels, they become exposed.

The vulnerability arises when developers inadvertently expose static API keys through public-facing endpoints, logs, or error messages while relying on OIDC only for user identity. For example, an API key intended for backend-to-backend calls might be included in JavaScript bundles or environment variables that are accessible to unauthenticated attackers. middleBrick detects this by running 12 security checks in parallel, including Authentication, Data Exposure, and Unsafe Consumption, identifying whether API keys are returned in responses or leaked in client-side artifacts.

During a black-box scan, middleBrick submits the API URL without credentials and tests unauthenticated attack surfaces. It checks whether API keys appear in HTTP response headers, body content, or JavaScript files served to browsers. If OIDC is misconfigured—such as failing to validate token audiences or not enforcing HTTPS—keys might be transmitted in clear text or accepted from untrusted origins. This combination increases risk because an exposed API key can be reused to impersonate services, while OIDC’s identity layer does not protect backend authorization boundaries.

Real-world attack patterns include attackers scraping public JavaScript files for hardcoded keys or exploiting verbose error messages that reveal key locations. middleBrick’s Data Exposure and Authentication checks specifically flag scenarios where API keys are returned in responses or where weak TLS configurations allow interception. The scanner references real-world concerns such as insecure default configurations in Loopback applications and maps findings to frameworks like OWASP API Top 10 and SOC2.

Using the middleBrick CLI, developers can quickly verify if their Loopback + OIDC setup leaks keys by running middlebrick scan https://api.example.com. The tool provides a security risk score and prioritized findings with remediation guidance, helping teams identify whether keys are exposed in routes, middleware, or client-side bundles without requiring agents or credentials.

Securing Loopback with OpenID Connect requires careful configuration of middleware, token validation, and secure transport. The following code examples demonstrate how to implement OIDC securely in a Loopback application.

First, ensure that all communication uses HTTPS. Configure your Loopback application to enforce secure cookies and transport security headers. Use a well-supported OIDC client such as loopback-component-passport with a strategy like loopback-component-passport-oauth2 or a dedicated OIDC provider integration.

const loopback = require('loopback');
const passport = require('loopback-component-passport');
const OIDCStrategy = require('passport-oauth2').Strategy;

const app = loopback();
app.use(passport.initialize());

app.configure('security');

passport.use('oidc', new OIDCStrategy({
  authorizationURL: 'https://auth.example.com/oauth2/v1/authorize',
  tokenURL: 'https://auth.example.com/oauth2/v1/token',
  clientID: process.env.OIDC_CLIENT_ID,
  clientSecret: process.env.OIDC_CLIENT_SECRET,
  callbackURL: 'https://api.example.com/auth/oidc/callback',
  scope: ['openid', 'profile', 'email'],
  state: true,
  passReqToCallback: true,
},
function(req, accessToken, refreshToken, profile, done) {
  // Validate audience and issuer to prevent token substitution
  if (profile.aud !== process.env.OIDC_CLIENT_ID) {
    return done(new Error('Invalid audience'));
  }
  if (profile.iss !== 'https://auth.example.com/') {
    return done(new Error('Invalid issuer'));
  }
  return done(null, profile);
}));

app.get('/auth/oidc', passport.authenticate('oidc'));
app.get('/auth/oidc/callback',
  passport.authenticate('oidc', { failureRedirect: '/login' }),
  function(req, res) {
    res.redirect('/');
  });

// Ensure API keys are not exposed to the client
app.middleware('initial:before', function(req, res, next) {
  if (req.path.startsWith('/api/') && !req.accessToken) {
    return res.status(401).json({ error: 'Unauthorized' });
  }
  next();
});

app.start();

This configuration validates tokens properly, checks audience and issuer claims, and avoids exposing API keys in client-side contexts. API keys used for service-to-service communication should be stored securely on the server, never in browser-accessible files or logs.

Additionally, leverage the middleBrick GitHub Action to integrate security checks into your CI/CD pipeline. You can set a threshold so that builds fail if the risk score drops below an acceptable level. This ensures that any regression exposing API keys or misconfiguring OIDC is caught before deployment.

For continuous monitoring in production, the Pro plan provides scheduled scans and alerts, while the MCP Server allows you to scan APIs directly from your AI coding assistant, helping maintain secure configurations as code evolves.