Client OAuth 2.0
Straight-forward execution of OAuth 2.0 flows and authenticated API requests.
Installation
npm install client-oauth2 --save
Usage
The module supports executing all the various OAuth 2.0 flows in any JavaScript environment. To authenticate you need to create an instance of the module for your API.
var ClientOAuth2 = require('client-oauth2')
var githubAuth = new ClientOAuth2({
clientId: 'abc',
clientSecret: '123',
accessTokenUri: 'https://github.com/login/oauth/access_token',
authorizationUri: 'https://github.com/login/oauth/authorize',
authorizationGrants: ['credentials'],
redirectUri: 'http://example.com/auth/github/callback',
scopes: ['notifications', 'gist']
})
- clientId The client id string assigned to you by the provider
- clientSecret The client secret string assigned to you by the provider (not required for
token
) - accessTokenUri The url to request the access token (not required for
token
) - authorizationUri The url to redirect users to authenticate with the provider (only required for
token
and code
) - redirectUri A custom url for the provider to redirect users back to your application (only required for
token
and code
) - scopes An array of scopes to authenticate against
Request options
- body An object to merge with the body of every request
- query An object to merge with the query parameters of every request
- headers An object to merge with the headers of every request
- options Transport options from popsicle
To re-create an access token instance and make requests on behalf on the user, you can create an access token instance by using the createToken
method on a client instance.
var token = githubAuth.createToken('access token', 'optional refresh token', 'optional token type', { optional: 'raw user data' })
token.refresh().then(storeNewToken)
token.request({
method: 'get',
url: 'https://api.github.com/users'
})
.then(function (res) {
console.log(res)
})
You can override the request mechanism if you need a custom implementation by setting githubAuth.request = function (opts) { return new Promise(...) }
. You will need to make sure that the custom request mechanism supports the correct input and output objects.
P.S. All authorization methods accept options
as the last argument, useful for overriding the global configuration on a per-request basis.
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
- Redirect user to
githubAuth.code.getUri()
. - Parse response uri and get token using
githubAuth.code.getToken(uri)
.
var express = require('express')
var app = express()
app.get('/auth/github', function (req, res) {
var uri = githubAuth.code.getUri()
res.redirect(uri)
})
app.get('/auth/github/callback', function (req, res) {
githubAuth.code.getToken(req.url)
.then(function (user) {
console.log(user)
user.refresh().then(function (updatedUser) {
console.log(updatedUser === user)
})
user.sign({
method: 'get',
url: 'http://example.com'
})
return res.send(user.accessToken)
})
})
The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.
- Redirect user to
githubAuth.token.getUri()
. - Parse response uri for the access token using
githubAuth.token.getToken(uri)
.
window.oauth2Callback = function (uri) {
githubAuth.token.getToken(uri)
.then(function (user) {
console.log(user)
user.request({
method: 'get',
url: 'https://api.github.com/user'
}).then(function (res) {
console.log(res)
})
})
}
window.open(githubAuth.token.getUri())
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
- Make a direct request for the access token on behalf of the user using
githubAuth.owner.getToken(username, password)
.
githubAuth.owner.getToken('blakeembrey', 'hunter2')
.then(function (user) {
console.log(user)
})
The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).
- Get the access token for the application by using
githubAuth.credentials.getToken()
.
githubAuth.credentials.getToken()
.then(function (user) {
console.log(user)
})
A JSON Web Token (JWT) Bearer Token can be used to request an access token when a client wishes to utilize an existing trust relationship, expressed through the semantics of (and digital signature or Message Authentication Code calculated over) the JWT, without a direct user approval step at the authorization server.
githubAuth.jwt.getToken('eyJhbGciOiJFUzI1NiJ9.eyJpc3Mi[...omitted for brevity...].J9l-ZhwP[...omitted for brevity...]')
.then(function (user) {
console.log(user)
})
License
Apache 2.0