• Stars
    star
    3,417
  • Rank 13,084 (Top 0.3 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 12 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OAuth 2.0 authorization server toolkit for Node.js.

OAuth2orize

OAuth2orize is an authorization server toolkit for Node.js. It provides a suite of middleware that, combined with Passport authentication strategies and application-specific route handlers, can be used to assemble a server that implements the OAuth 2.0 protocol.


Advertisement
Node.js API Masterclass With Express & MongoDB
Create a real world backend for a bootcamp directory app


Status: Build Coverage Dependencies

Install

$ npm install oauth2orize

Usage

OAuth 2.0 defines an authorization framework, allowing an extensible set of authorization grants to be exchanged for access tokens. Implementations are free to choose what grant types to support, by using bundled middleware to support common types or plugins to support extension types.

Create an OAuth Server

Call createServer() to create a new OAuth 2.0 server. This instance exposes middleware that will be mounted in routes, as well as configuration options.

var server = oauth2orize.createServer();

Register Grants

A client must obtain permission from a user before it is issued an access token. This permission is known as a grant, the most common type of which is an authorization code.

server.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, done) {
  var code = utils.uid(16);

  var ac = new AuthorizationCode(code, client.id, redirectURI, user.id, ares.scope);
  ac.save(function(err) {
    if (err) { return done(err); }
    return done(null, code);
  });
}));

OAuth2orize also bundles support for implicit token grants.

Register Exchanges

After a client has obtained an authorization grant from the user, that grant can be exchanged for an access token.

server.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) {
  AuthorizationCode.findOne(code, function(err, code) {
    if (err) { return done(err); }
    if (client.id !== code.clientId) { return done(null, false); }
    if (redirectURI !== code.redirectUri) { return done(null, false); }

    var token = utils.uid(256);
    var at = new AccessToken(token, code.userId, code.clientId, code.scope);
    at.save(function(err) {
      if (err) { return done(err); }
      return done(null, token);
    });
  });
}));

OAuth2orize also bundles support for password and client credential grants. Additionally, bundled refresh token support allows expired access tokens to be renewed.

Implement Authorization Endpoint

When a client requests authorization, it will redirect the user to an authorization endpoint. The server must authenticate the user and obtain their permission.

app.get('/dialog/authorize',
  login.ensureLoggedIn(),
  server.authorize(function(clientID, redirectURI, done) {
    Clients.findOne(clientID, function(err, client) {
      if (err) { return done(err); }
      if (!client) { return done(null, false); }
      if (client.redirectUri != redirectURI) { return done(null, false); }
      return done(null, client, client.redirectURI);
    });
  }),
  function(req, res) {
    res.render('dialog', { transactionID: req.oauth2.transactionID,
                           user: req.user, client: req.oauth2.client });
  });

In this example, connect-ensure-login middleware is being used to make sure a user is authenticated before authorization proceeds. At that point, the application renders a dialog asking the user to grant access. The resulting form submission is processed using decision middleware.

app.post('/dialog/authorize/decision',
   login.ensureLoggedIn(),
   server.decision());

Based on the grant type requested by the client, the appropriate grant module registered above will be invoked to issue an authorization code.

Session Serialization

Obtaining the user's authorization involves multiple request/response pairs. During this time, an OAuth 2.0 transaction will be serialized to the session. Client serialization functions are registered to customize this process, which will typically be as simple as serializing the client ID, and finding the client by ID when deserializing.

server.serializeClient(function(client, done) {
  return done(null, client.id);
});

server.deserializeClient(function(id, done) {
  Clients.findOne(id, function(err, client) {
    if (err) { return done(err); }
    return done(null, client);
  });
});

Implement Token Endpoint

Once a user has approved access, the authorization grant can be exchanged by the client for an access token.

app.post('/token',
  passport.authenticate(['basic', 'oauth2-client-password'], { session: false }),
  server.token(),
  server.errorHandler());

Passport strategies are used to authenticate the client, in this case using either an HTTP Basic authentication header (as provided by passport-http) or client credentials in the request body (as provided by passport-oauth2-client-password).

Based on the grant type issued to the client, the appropriate exchange module registered above will be invoked to issue an access token. If an error occurs, errorHandler middleware will format an error response.

Implement API Endpoints

Once an access token has been issued, a client will use it to make API requests on behalf of the user.

app.get('/api/userinfo', 
  passport.authenticate('bearer', { session: false }),
  function(req, res) {
    res.json(req.user);
  });

In this example, bearer tokens are issued, which are then authenticated using an HTTP Bearer authentication header (as provided by passport-http-bearer)

Examples

This example demonstrates how to implement an OAuth service provider, complete with protected API access.

Related Modules

Debugging

oauth2orize uses the debug module. You can enable debugging messages on the console by doing export DEBUG=oauth2orize before running your application.

License

The MIT License

Copyright (c) 2012-2021 Jared Hanson <https://www.jaredhanson.me/>

More Repositories

1

passport

Simple, unobtrusive authentication for Node.js.
JavaScript
21,911
star
2

passport-local

Username and password authentication strategy for Passport and Node.js.
JavaScript
2,669
star
3

passport-facebook

Facebook authentication strategy for Passport and Node.js.
JavaScript
1,281
star
4

connect-flash

Flash message middleware for Connect and Express.
JavaScript
1,225
star
5

passport-http-bearer

HTTP Bearer authentication strategy for Passport and Node.js.
JavaScript
946
star
6

locomotive

Powerful MVC web framework for Node.js.
JavaScript
892
star
7

passport-google-oauth2

Google authentication strategy for Passport and Node.js.
JavaScript
808
star
8

passport-google-oauth

Google authentication strategies for Passport and Node.js.
JavaScript
753
star
9

passport-oauth2

OAuth 2.0 authentication strategy for Passport and Node.js.
JavaScript
575
star
10

electrolyte

Elegant dependency injection for Node.js.
JavaScript
563
star
11

passport-github

GitHub authentication strategy for Passport and Node.js.
JavaScript
528
star
12

passport-twitter

Twitter authentication strategy for Passport and Node.js.
JavaScript
467
star
13

connect-ensure-login

Login session ensuring middleware for Connect and Express.
JavaScript
465
star
14

passport-http

HTTP Basic and Digest authentication strategies for Passport and Node.js.
JavaScript
265
star
15

passport-remember-me

Remember Me cookie authentication strategy for Passport and Node.js
JavaScript
217
star
16

oauthorize

OAuth service provider toolkit for Node.js.
JavaScript
200
star
17

deamdify

Browserify transform that converts AMD to CommonJS.
JavaScript
198
star
18

passport-openidconnect

OpenID Connect authentication strategy for Passport and Node.js.
JavaScript
181
star
19

passport-instagram

Instagram authentication strategy for Passport and Node.js.
JavaScript
172
star
20

passport-totp

TOTP authentication strategy for Passport and Node.js.
JavaScript
147
star
21

passport-google

Google (OpenID) authentication strategy for Passport and Node.js.
JavaScript
146
star
22

passport-linkedin

LinkedIn authentication strategy for Passport and Node.js.
JavaScript
141
star
23

passport-oauth

OAuth 1.0 and 2.0 authentication strategies for Passport and Node.js.
JavaScript
117
star
24

passport-strategy

An abstract class implementing Passport's strategy API.
Makefile
107
star
25

junction

Essential XMPP middleware for Node.js.
JavaScript
105
star
26

passport-openid

OpenID authentication strategy for Passport and Node.js.
JavaScript
100
star
27

passport-oauth2-client-password

OAuth 2.0 client password authentication strategy for Passport and Node.js.
JavaScript
96
star
28

kerouac

Poetic static site generator for Node.js.
JavaScript
82
star
29

utils-merge

merge() utility function
JavaScript
71
star
30

passport-http-oauth

HTTP OAuth authentication strategy for Passport and Node.js.
JavaScript
70
star
31

bootable

Easy application initialization for Node.js.
JavaScript
68
star
32

oauth2orize-openid

Extensions to support OpenID Connect with OAuth2orize.
JavaScript
62
star
33

passport-anonymous

Anonymous authentication strategy for Passport and Node.js.
Makefile
59
star
34

passport-browserid

BrowserID authentication strategy for Passport and Node.js.
JavaScript
53
star
35

passport-webauthn

WebAuthn authentication strategy for Passport.
JavaScript
45
star
36

passport-soundcloud

SoundCloud authentication strategy for Passport and Node.js.
JavaScript
38
star
37

passport-amazon

Amazon authentication strategy for Passport and Node.js.
JavaScript
37
star
38

node-parent-require

Require modules from parent modules.
JavaScript
35
star
39

passport-windowslive

Windows Live authentication strategy for Passport and Node.js.
JavaScript
34
star
40

chai-passport-strategy

Helpers for testing Passport strategies with the Chai assertion library.
JavaScript
33
star
41

passport-fitbit

Fitbit authentication strategy for Passport and Node.js.
JavaScript
32
star
42

passport-tumblr

Tumblr authentication strategy for Passport and Node.js.
JavaScript
30
star
43

passport-dropbox

Dropbox authentication strategy for Passport and Node.js.
JavaScript
29
star
44

passport-paypal-oauth

PayPal (OAuth) authentication strategy for Passport and Node.js.
JavaScript
28
star
45

passport-bitbucket

Bitbucket authentication strategy for Passport and Node.js.
JavaScript
26
star
46

passport-oauth1

OAuth 1.0 authentication strategy for Passport and Node.js.
JavaScript
23
star
47

passport-foursquare

Foursquare authentication strategy for Passport and Node.js.
JavaScript
22
star
48

node-notifications

A mechanism for dispatching notifications within a Node.js program.
JavaScript
22
star
49

passport-goodreads

Goodreads authentication strategy for Passport and Node.js.
JavaScript
21
star
50

passport-yahoo-oauth

Yahoo! (OAuth) authentication strategy for Passport and Node.js.
JavaScript
19
star
51

passport-persona

Mozilla Persona authentication strategy for Passport and Node.js.
JavaScript
19
star
52

locomotive-mongoose

Mongoose datastore adapter for Locomotive.
JavaScript
18
star
53

passport-runkeeper

RunKeeper authentication strategy for Passport and Node.js.
JavaScript
18
star
54

node-jsonsp

JSON stream parser for Node.js.
JavaScript
17
star
55

node-jsonrpc-tcp

JSON-RPC over TCP for Node.js.
JavaScript
16
star
56

passport-intuit-oauth

Intuit (OAuth) authentication strategy for Passport and Node.js.
JavaScript
15
star
57

passport-evernote

Evernote authentication strategy for Passport and Node.js.
JavaScript
15
star
58

passport-ethereum

Ethereum authentication strategy for Passport.
JavaScript
15
star
59

passport-meetup

Meetup authentication strategy for Passport and Node.js.
JavaScript
15
star
60

passport-google-openidconnect

Google authentication strategy for Passport and Node.js.
JavaScript
14
star
61

crane

Diligent work queue for Node.js.
JavaScript
13
star
62

rivet

Efficient build tool utilizing JavaScript and Node.js.
JavaScript
13
star
63

connect-powered-by

X-Powered-By header middleware for Connect.
JavaScript
11
star
64

passport-yammer

Yammer authentication strategy for Passport and Node.js.
JavaScript
11
star
65

passport-hotp

HOTP authentication strategy for Passport and Node.js.
JavaScript
11
star
66

passport-paypal

PayPal (OpenID) authentication strategy for Passport and Node.js.
JavaScript
10
star
67

passport-intuit

Intuit (OpenID) authentication strategy for Passport and Node.js.
JavaScript
10
star
68

js-sasl

SASL mechanism factory.
JavaScript
10
star
69

node-tokens

Encode and decode security tokens.
JavaScript
9
star
70

draft-oauth-mfa

9
star
71

passport-openstreetmap

OpenStreetMap authentication strategy for Passport and Node.js.
JavaScript
9
star
72

node-servicelocator

Central location to register and locate services within a Node.js application.
JavaScript
9
star
73

passport-dwolla

Dwolla authentication strategy for Passport and Node.js.
JavaScript
9
star
74

todos-fastify-sqlite

Todo app built with Node.js, Fastify, and SQLite.
CSS
9
star
75

passport-angellist

AngelList authentication strategy for Passport and Node.js.
JavaScript
8
star
76

make-node

Useful makefiles for developing Node.js packages.
Makefile
8
star
77

chai-connect-middleware

Helpers for testing Connect middleware with the Chai assertion library.
JavaScript
8
star
78

todos-express-sqlite

Todo app built with Node.js, Express, and SQLite.
CSS
7
star
79

passport-familysearch

FamilySearch authentication strategy for Passport and Node.js.
JavaScript
7
star
80

oauth2orize-mfa

Multi-Factor Authentication exchanges for OAuth2orize.
JavaScript
6
star
81

flowstate

Per-request state management middleware.
JavaScript
6
star
82

suitcss-utils-space

Utility classes for low-level CSS spacing traits
CSS
6
star
83

passport-fido-u2f

FIDO U2F authentication strategy for Passport and Node.js.
JavaScript
6
star
84

passport-rdio

Rdio authentication strategy for Passport and Node.js.
JavaScript
6
star
85

passport-37signals

37signals authentication strategy for Passport and Node.js.
JavaScript
6
star
86

oauth2orize-pkce

Extensions to support Proof Key for Code Exchange with OAuth2orize.
JavaScript
6
star
87

node-ffi-ipmi

wrapping various ipmi related tools and libs for node via node-ffi @ https://github.com/rbranson/node-ffi.git
C
6
star
88

node-functionpool

Provides a pool of functions that can be used to execute tasks in Node.js.
JavaScript
5
star
89

connect-lrdd

Link-based Resource Descriptor Document (LRDD) middleware for Connect.
JavaScript
5
star
90

dotfiles

$HOME
Shell
5
star
91

passport-vimeo

Vimeo authentication strategy for Passport and Node.js.
JavaScript
5
star
92

amd-resolve

A hookable AMD module resolution implementation.
JavaScript
5
star
93

passport-ssl-certificate

SSL certificate authentication strategy for Passport and Node.js.
JavaScript
5
star
94

node-nks-fs

Secure key services.
JavaScript
5
star
95

marked-engine

Express-compatible Markdown rendering powered by marked.
JavaScript
5
star
96

chai-oauth2orize-grant

Helpers for testing OAuth2orize grants with the Chai assertion library.
JavaScript
5
star
97

oauth2orize-device-code

Extensions to support device flow with OAuth2orize.
JavaScript
5
star
98

oauth2orize-redelegate

Token redelegation and chaining exchange for OAuth2orize.
JavaScript
5
star
99

passport-web3

Web3 authentication strategy for Passport.
JavaScript
5
star
100

pocket

A simple, small, file system-based data store for Node.js.
JavaScript
4
star