• Stars
    star
    200
  • Rank 195,325 (Top 4 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 12 years ago
  • Updated almost 9 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OAuth service provider toolkit for Node.js.

OAuthorize

OAuthorize is a service provider toolkit for Node.js. It provides a suite of middleware that, combined with application-specific route handlers, can be used to assemble a server that implements the OAuth 1.0 protocol.

Installation

$ npm install oauthorize

Usage

While OAuth is a rather intricate protocol, at a high level there are three classes of endpoints from an implementation perspective, based on how those endpoints are authenticated. OAuthorize middleware, protected by Passport authentication strategies including passport-http-oauth, is used to authenticate clients, obtain authorization from users, and issue access tokens.

Create an OAuth Server

Call createServer() to create a new OAuth server. This instance exposes middleware that will be mounted in routes, as well as configuration options.

var server = oauthorize.createServer();

Implement Token Endpoints

Clients (aka consumers) interact with token endpoints directly in order to obtain tokens. First, a client retrieves an unauthorized request token.

app.post('/request_token',
  passport.authenticate('consumer', { session: false }),
  server.requestToken(function(client, callbackURL, done) {
    var token = utils.uid(8)
      , secret = utils.uid(32)

    var t = new RequestToken(token, secret, client.id, callbackURL);
    t.save(function(err) {
      if (err) { return done(err); }
      return done(null, token, secret);
    });
  }));

After a user has authorized this token, it can be exchanged for an access token.

app.post('/access_token',
  passport.authenticate('consumer', { session: false }),
  server.accessToken(
    function(requestToken, verifier, info, done) {
      if (verifier != info.verifier) { return done(null, false); }
      return done(null, true);
    },
    function(client, requestToken, info, done) {
      if (!info.authorized) { return done(null, false); }
      if (client.id !== info.clientId) { return done(null, false); }

      var token = utils.uid(32)
        , secret = utils.uid(128)
      var t = new AccessToken(token, secret, info.userId, info.clientId);
      t.save(function(err) {
        if (err) { return done(err); }
        return done(null, token, secret);
      });
    }
  ));

Implement User Authorization Endpoints

In order to authorize the request token, the client will redirect the user to the user authorization endpoint.

app.get('/dialog/authorize',
  login.ensureLoggedIn(),
  server.userAuthorization(function(requestToken, done) {
    RequestToken.findOne(requestToken, function(err, token) {
      if (err) { return done(err); }
      Clients.findOne(token.clientId, function(err, client) {
        if (err) { return done(err); }
        return done(null, client, token.callbackUrl);
      });
    });
  }),
  function(req, res){
    res.render('dialog', { transactionID: req.oauth.transactionID,
                           client: req.oauth.client, user: req.user });
  });

The application is responsible for authenticating the user (in this case, using connect-ensure-login middleware) and obtaining their consent by rendering a form.

The user must choose to allow access, optionally limited to a narrower scope or duration of access. The form submission can be processed by user decision middleware.

app.post('/dialog/authorize/decision',
  login.ensureLoggedIn(),
  server.userDecision(function(requestToken, user, done) {
    RequestToken.findOne(requestToken, function(err, token) {
      if (err) { return done(err); }
      var verifier = utils.uid(8);
      token.authorized = true;
      token.userId = user.id;
      token.verifier = verifier;
      token.save(function(err) {
        if (err) { return done(err); }
        return done(null, verifier);
      });
    });
  }));

Once authorized, the client can exchange the request token for an access token the token endpoint described above.

Implement API Endpoints

Once an access token has been issued, a client will use it to make API requests on behalf of the user.

app.get('/api/userinfo', 
  passport.authenticate('token', { session: false }),
  function(req, res) {
    res.json(req.user);
  });

Session Serialization

Obtaining the user's authorization involves multiple request/response pairs. During this time, an OAuth transaction will be serialized to the session. Client serialization functions are registered to customize this process, which will typically be as simple as serializing the client ID, and finding the client by ID when deserializing.

server.serializeClient(function(client, done) {
  return done(null, client.id);
});

server.deserializeClient(function(id, done) {
  Clients.findOne(id, function(err, client) {
    if (err) { return done(err); }
    return done(null, client);
  });
});

Examples

This example demonstrates how to implement an OAuth service provider, complete with protected API access.

Tests

$ npm install --dev
$ make test

Build Status

Credits

License

(The MIT License)

Copyright (c) 2012 Jared Hanson

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

More Repositories

1

passport

Simple, unobtrusive authentication for Node.js.
JavaScript
21,911
star
2

oauth2orize

OAuth 2.0 authorization server toolkit for Node.js.
JavaScript
3,417
star
3

passport-local

Username and password authentication strategy for Passport and Node.js.
JavaScript
2,669
star
4

passport-facebook

Facebook authentication strategy for Passport and Node.js.
JavaScript
1,281
star
5

connect-flash

Flash message middleware for Connect and Express.
JavaScript
1,225
star
6

passport-http-bearer

HTTP Bearer authentication strategy for Passport and Node.js.
JavaScript
946
star
7

locomotive

Powerful MVC web framework for Node.js.
JavaScript
892
star
8

passport-google-oauth2

Google authentication strategy for Passport and Node.js.
JavaScript
808
star
9

passport-google-oauth

Google authentication strategies for Passport and Node.js.
JavaScript
753
star
10

passport-oauth2

OAuth 2.0 authentication strategy for Passport and Node.js.
JavaScript
575
star
11

electrolyte

Elegant dependency injection for Node.js.
JavaScript
563
star
12

passport-github

GitHub authentication strategy for Passport and Node.js.
JavaScript
528
star
13

passport-twitter

Twitter authentication strategy for Passport and Node.js.
JavaScript
467
star
14

connect-ensure-login

Login session ensuring middleware for Connect and Express.
JavaScript
465
star
15

passport-http

HTTP Basic and Digest authentication strategies for Passport and Node.js.
JavaScript
265
star
16

passport-remember-me

Remember Me cookie authentication strategy for Passport and Node.js
JavaScript
217
star
17

deamdify

Browserify transform that converts AMD to CommonJS.
JavaScript
198
star
18

passport-openidconnect

OpenID Connect authentication strategy for Passport and Node.js.
JavaScript
181
star
19

passport-instagram

Instagram authentication strategy for Passport and Node.js.
JavaScript
172
star
20

passport-totp

TOTP authentication strategy for Passport and Node.js.
JavaScript
147
star
21

passport-google

Google (OpenID) authentication strategy for Passport and Node.js.
JavaScript
146
star
22

passport-linkedin

LinkedIn authentication strategy for Passport and Node.js.
JavaScript
141
star
23

passport-oauth

OAuth 1.0 and 2.0 authentication strategies for Passport and Node.js.
JavaScript
117
star
24

passport-strategy

An abstract class implementing Passport's strategy API.
Makefile
107
star
25

junction

Essential XMPP middleware for Node.js.
JavaScript
105
star
26

passport-openid

OpenID authentication strategy for Passport and Node.js.
JavaScript
100
star
27

passport-oauth2-client-password

OAuth 2.0 client password authentication strategy for Passport and Node.js.
JavaScript
96
star
28

kerouac

Poetic static site generator for Node.js.
JavaScript
82
star
29

utils-merge

merge() utility function
JavaScript
71
star
30

passport-http-oauth

HTTP OAuth authentication strategy for Passport and Node.js.
JavaScript
70
star
31

bootable

Easy application initialization for Node.js.
JavaScript
68
star
32

oauth2orize-openid

Extensions to support OpenID Connect with OAuth2orize.
JavaScript
62
star
33

passport-anonymous

Anonymous authentication strategy for Passport and Node.js.
Makefile
59
star
34

passport-browserid

BrowserID authentication strategy for Passport and Node.js.
JavaScript
53
star
35

passport-webauthn

WebAuthn authentication strategy for Passport.
JavaScript
45
star
36

passport-soundcloud

SoundCloud authentication strategy for Passport and Node.js.
JavaScript
38
star
37

passport-amazon

Amazon authentication strategy for Passport and Node.js.
JavaScript
37
star
38

node-parent-require

Require modules from parent modules.
JavaScript
35
star
39

passport-windowslive

Windows Live authentication strategy for Passport and Node.js.
JavaScript
34
star
40

chai-passport-strategy

Helpers for testing Passport strategies with the Chai assertion library.
JavaScript
33
star
41

passport-fitbit

Fitbit authentication strategy for Passport and Node.js.
JavaScript
32
star
42

passport-tumblr

Tumblr authentication strategy for Passport and Node.js.
JavaScript
30
star
43

passport-dropbox

Dropbox authentication strategy for Passport and Node.js.
JavaScript
29
star
44

passport-paypal-oauth

PayPal (OAuth) authentication strategy for Passport and Node.js.
JavaScript
28
star
45

passport-bitbucket

Bitbucket authentication strategy for Passport and Node.js.
JavaScript
26
star
46

passport-oauth1

OAuth 1.0 authentication strategy for Passport and Node.js.
JavaScript
23
star
47

passport-foursquare

Foursquare authentication strategy for Passport and Node.js.
JavaScript
22
star
48

node-notifications

A mechanism for dispatching notifications within a Node.js program.
JavaScript
22
star
49

passport-goodreads

Goodreads authentication strategy for Passport and Node.js.
JavaScript
21
star
50

passport-yahoo-oauth

Yahoo! (OAuth) authentication strategy for Passport and Node.js.
JavaScript
19
star
51

passport-persona

Mozilla Persona authentication strategy for Passport and Node.js.
JavaScript
19
star
52

locomotive-mongoose

Mongoose datastore adapter for Locomotive.
JavaScript
18
star
53

passport-runkeeper

RunKeeper authentication strategy for Passport and Node.js.
JavaScript
18
star
54

node-jsonsp

JSON stream parser for Node.js.
JavaScript
17
star
55

node-jsonrpc-tcp

JSON-RPC over TCP for Node.js.
JavaScript
16
star
56

passport-intuit-oauth

Intuit (OAuth) authentication strategy for Passport and Node.js.
JavaScript
15
star
57

passport-evernote

Evernote authentication strategy for Passport and Node.js.
JavaScript
15
star
58

passport-ethereum

Ethereum authentication strategy for Passport.
JavaScript
15
star
59

passport-meetup

Meetup authentication strategy for Passport and Node.js.
JavaScript
15
star
60

passport-google-openidconnect

Google authentication strategy for Passport and Node.js.
JavaScript
14
star
61

crane

Diligent work queue for Node.js.
JavaScript
13
star
62

rivet

Efficient build tool utilizing JavaScript and Node.js.
JavaScript
13
star
63

connect-powered-by

X-Powered-By header middleware for Connect.
JavaScript
11
star
64

passport-yammer

Yammer authentication strategy for Passport and Node.js.
JavaScript
11
star
65

passport-hotp

HOTP authentication strategy for Passport and Node.js.
JavaScript
11
star
66

passport-paypal

PayPal (OpenID) authentication strategy for Passport and Node.js.
JavaScript
10
star
67

passport-intuit

Intuit (OpenID) authentication strategy for Passport and Node.js.
JavaScript
10
star
68

js-sasl

SASL mechanism factory.
JavaScript
10
star
69

node-tokens

Encode and decode security tokens.
JavaScript
9
star
70

draft-oauth-mfa

9
star
71

passport-openstreetmap

OpenStreetMap authentication strategy for Passport and Node.js.
JavaScript
9
star
72

node-servicelocator

Central location to register and locate services within a Node.js application.
JavaScript
9
star
73

passport-dwolla

Dwolla authentication strategy for Passport and Node.js.
JavaScript
9
star
74

todos-fastify-sqlite

Todo app built with Node.js, Fastify, and SQLite.
CSS
9
star
75

passport-angellist

AngelList authentication strategy for Passport and Node.js.
JavaScript
8
star
76

make-node

Useful makefiles for developing Node.js packages.
Makefile
8
star
77

chai-connect-middleware

Helpers for testing Connect middleware with the Chai assertion library.
JavaScript
8
star
78

todos-express-sqlite

Todo app built with Node.js, Express, and SQLite.
CSS
7
star
79

passport-familysearch

FamilySearch authentication strategy for Passport and Node.js.
JavaScript
7
star
80

oauth2orize-mfa

Multi-Factor Authentication exchanges for OAuth2orize.
JavaScript
6
star
81

flowstate

Per-request state management middleware.
JavaScript
6
star
82

suitcss-utils-space

Utility classes for low-level CSS spacing traits
CSS
6
star
83

passport-fido-u2f

FIDO U2F authentication strategy for Passport and Node.js.
JavaScript
6
star
84

passport-rdio

Rdio authentication strategy for Passport and Node.js.
JavaScript
6
star
85

passport-37signals

37signals authentication strategy for Passport and Node.js.
JavaScript
6
star
86

oauth2orize-pkce

Extensions to support Proof Key for Code Exchange with OAuth2orize.
JavaScript
6
star
87

node-ffi-ipmi

wrapping various ipmi related tools and libs for node via node-ffi @ https://github.com/rbranson/node-ffi.git
C
6
star
88

node-functionpool

Provides a pool of functions that can be used to execute tasks in Node.js.
JavaScript
5
star
89

connect-lrdd

Link-based Resource Descriptor Document (LRDD) middleware for Connect.
JavaScript
5
star
90

dotfiles

$HOME
Shell
5
star
91

passport-vimeo

Vimeo authentication strategy for Passport and Node.js.
JavaScript
5
star
92

amd-resolve

A hookable AMD module resolution implementation.
JavaScript
5
star
93

passport-ssl-certificate

SSL certificate authentication strategy for Passport and Node.js.
JavaScript
5
star
94

node-nks-fs

Secure key services.
JavaScript
5
star
95

marked-engine

Express-compatible Markdown rendering powered by marked.
JavaScript
5
star
96

chai-oauth2orize-grant

Helpers for testing OAuth2orize grants with the Chai assertion library.
JavaScript
5
star
97

oauth2orize-device-code

Extensions to support device flow with OAuth2orize.
JavaScript
5
star
98

oauth2orize-redelegate

Token redelegation and chaining exchange for OAuth2orize.
JavaScript
5
star
99

passport-web3

Web3 authentication strategy for Passport.
JavaScript
5
star
100

pocket

A simple, small, file system-based data store for Node.js.
JavaScript
4
star