Authorization plugins add a security layer to Koop. There are few important facts to understand when using an authorization plugin:

  • An authorization plugin is only effective for securing routes generated by output service plugins (a.k.a., plugin-routes). Custom routes defined by the provider will not be secured by registering an authorization plugin.

  • Successfully securing your plugin-routes depends on authorization support from any output-plugins you may be using. By default, Koop includes koop-output-geoservices (a.k.a. feature service output), which supports securing services with authorization plugins.

  • Authorization plugins should be registered after output-services plugins and before providers. Any providers registered before an authorization plugin will not have its plugin routes secured.


Usage of an authorization-plugin can be conceptually divided into three parts: (1) configuration, (2) registration with Koop, and (3) use in output-services. An example using koop-auth-direct-file provides the best illustration of usage.

// Initialize Koop
const Koop = require('@koopjs/koop-core')
const koop = new Koop()

// Koop has already added koop-output-geoservices (i.e. FeatureServer routes) by default
// Add any other output plugins here

// Configure the auth plugin by executing its exported function with required args
const auth = require('@koopjs/auth-direct-file')('pass-in-your-secret', `path/to/identity-store`)

// Register any providers you want to omit from koop auth
const github = require('@koopjs/provider-github')

// Register the auth plugin

// Register any providers you want secured by koop auth
const s3Select = require('@koopjs/provider-s3-select')

Plugin registration order

The order in which you register your providers and authorization plugins will affect functionality. The key points are:

  • Providers registered before the authorization plugin will not be secured
  • Providers registered after the authorization plugin will be secured

In the above implementation, the authorization plugin would be applied to feature server routes for the S3 Select provider. Note that the routes for the Github provider would not be protected because the auth plugin registration occurs after the Github provider registration.

Improve this page