Security News
The Unpaid Backbone of Open Source: Solo Maintainers Face Increasing Security Demands
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
client-oauth2
Advanced tools
Straight-forward execution of OAuth 2.0 flows and authenticated API requests
The client-oauth2 npm package is a client-side library for handling OAuth2 authentication flows. It supports various OAuth2 flows including Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials. This package is useful for applications that need to interact with OAuth2-compliant services for authentication and authorization.
Authorization Code Flow
This feature demonstrates how to use the Authorization Code Flow with GitHub as the OAuth2 provider. It includes setting up the client with necessary URIs and scopes, redirecting the user to the authorization page, and handling the callback to obtain the access token.
const ClientOAuth2 = require('client-oauth2');
const githubAuth = new ClientOAuth2({
clientId: 'abc',
clientSecret: '123',
accessTokenUri: 'https://github.com/login/oauth/access_token',
authorizationUri: 'https://github.com/login/oauth/authorize',
redirectUri: 'http://example.com/auth/github/callback',
scopes: ['notifications', 'gist']
});
// Redirect the user to the authorization page
const uri = githubAuth.code.getUri();
// After the user is redirected back to your callback URL
githubAuth.code.getToken(window.location.href)
.then(function (user) {
console.log(user);
});
Implicit Flow
This feature demonstrates how to use the Implicit Flow with GitHub as the OAuth2 provider. It includes setting up the client with necessary URIs and scopes, redirecting the user to the authorization page, and handling the callback to obtain the access token directly from the URL.
const ClientOAuth2 = require('client-oauth2');
const githubAuth = new ClientOAuth2({
clientId: 'abc',
authorizationUri: 'https://github.com/login/oauth/authorize',
redirectUri: 'http://example.com/auth/github/callback',
scopes: ['notifications', 'gist']
});
// Redirect the user to the authorization page
const uri = githubAuth.token.getUri();
// After the user is redirected back to your callback URL
githubAuth.token.getToken(window.location.href)
.then(function (user) {
console.log(user);
});
Resource Owner Password Credentials Flow
This feature demonstrates how to use the Resource Owner Password Credentials Flow with GitHub as the OAuth2 provider. It includes setting up the client with necessary URIs and scopes, and obtaining the access token using the user's username and password.
const ClientOAuth2 = require('client-oauth2');
const githubAuth = new ClientOAuth2({
clientId: 'abc',
clientSecret: '123',
accessTokenUri: 'https://github.com/login/oauth/access_token',
scopes: ['notifications', 'gist']
});
// Get the user token using username and password
githubAuth.owner.getToken('username', 'password')
.then(function (user) {
console.log(user);
});
Client Credentials Flow
This feature demonstrates how to use the Client Credentials Flow with GitHub as the OAuth2 provider. It includes setting up the client with necessary URIs and scopes, and obtaining the access token using the client credentials.
const ClientOAuth2 = require('client-oauth2');
const githubAuth = new ClientOAuth2({
clientId: 'abc',
clientSecret: '123',
accessTokenUri: 'https://github.com/login/oauth/access_token',
scopes: ['notifications', 'gist']
});
// Get the client token
githubAuth.credentials.getToken()
.then(function (user) {
console.log(user);
});
The simple-oauth2 package is a comprehensive library for handling OAuth2 authentication flows. It supports all standard OAuth2 flows and provides a more extensive set of features compared to client-oauth2, including token management and automatic token refresh.
The passport-oauth2 package is a strategy for the Passport authentication middleware. It allows applications to authenticate using OAuth2 by leveraging the Passport ecosystem, which provides a wide range of authentication strategies and integrations.
The axios-oauth-client package is a lightweight library that integrates OAuth2 authentication with the popular Axios HTTP client. It simplifies the process of making authenticated HTTP requests by automatically handling token acquisition and renewal.
Straight-forward execution of OAuth 2.0 flows and authenticated API requests. 7.58 kB in browsers, after minification and gzipping, 75% from
url
andquerystring
dependencies.
npm install client-oauth2 --save
The module supports executing all the various OAuth 2.0 flows in any JavaScript environment. To authenticate you need to create an instance of the module for your API.
var ClientOAuth2 = require('client-oauth2')
var githubAuth = new ClientOAuth2({
clientId: 'abc',
clientSecret: '123',
accessTokenUri: 'https://github.com/login/oauth/access_token',
authorizationUri: 'https://github.com/login/oauth/authorize',
redirectUri: 'http://example.com/auth/github/callback',
scopes: ['notifications', 'gist']
})
P.S. The second argument to the constructor can inject a custom request function.
token
)token
)token
and code
)token
and code
)To re-create an access token instance and make requests on behalf on the user, you can create an access token instance by using the createToken
method on a client instance.
// Can also just pass the raw `data` object in place of an argument.
var token = githubAuth.createToken('access token', 'optional refresh token', 'optional token type', { data: 'raw user data' })
// Set the token TTL.
token.expiresIn(1234) // Seconds.
token.expiresIn(new Date('2016-11-08')) // Date.
// Refresh the users credentials and save the new access token and info.
token.refresh().then(storeNewToken)
// Sign a standard HTTP request object, updating the URL with the access token
// or adding authorization headers, depending on token type.
token.sign({
method: 'get',
url: 'https://api.github.com/users'
}) //=> { method, url, headers, ... }
P.S. All authorization methods accept options
as the last argument, useful for overriding the global configuration on a per-request basis.
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
githubAuth.code.getUri([ options ])
.githubAuth.code.getToken(uri [, options ])
.var express = require('express')
var app = express()
app.get('/auth/github', function (req, res) {
var uri = githubAuth.code.getUri()
res.redirect(uri)
})
app.get('/auth/github/callback', function (req, res) {
githubAuth.code.getToken(req.originalUrl)
.then(function (user) {
console.log(user) //=> { accessToken: '...', tokenType: 'bearer', ... }
// Refresh the current users access token.
user.refresh().then(function (updatedUser) {
console.log(updatedUser !== user) //=> true
console.log(updatedUser.accessToken)
})
// Sign API requests on behalf of the current user.
user.sign({
method: 'get',
url: 'http://example.com'
})
// We should store the token into a database.
return res.send(user.accessToken)
})
})
P.S. The getToken
URI parameter can be an object containing pathname
and query
properties.
The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.
githubAuth.token.getUri([ options ])
.githubAuth.token.getToken(uri [, options ])
.window.oauth2Callback = function (uri) {
githubAuth.token.getToken(uri)
.then(function (user) {
console.log(user) //=> { accessToken: '...', tokenType: 'bearer', ... }
// Make a request to the github API for the current user.
return popsicle.request(user.sign({
method: 'get',
url: 'https://api.github.com/user'
})).then(function (res) {
console.log(res) //=> { body: { ... }, status: 200, headers: { ... } }
})
})
}
// Open the page in a new window, then redirect back to a page that calls our global `oauth2Callback` function.
window.open(githubAuth.token.getUri())
P.S. The getToken
URI parameter can be an object containing pathname
, query
and hash
properties.
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
githubAuth.owner.getToken(username, password [, options ])
.githubAuth.owner.getToken('blakeembrey', 'hunter2')
.then(function (user) {
console.log(user) //=> { accessToken: '...', tokenType: 'bearer', ... }
})
The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).
githubAuth.credentials.getToken([ options ])
.githubAuth.credentials.getToken()
.then(function (user) {
console.log(user) //=> { accessToken: '...', tokenType: 'bearer', ... }
})
A JSON Web Token (JWT) Bearer Token can be used to request an access token when a client wishes to utilize an existing trust relationship, expressed through the semantics of (and digital signature or Message Authentication Code calculated over) the JWT, without a direct user approval step at the authorization server.
githubAuth.jwt.getToken(jwt [, options ])
.githubAuth.jwt.getToken('eyJhbGciOiJFUzI1NiJ9.eyJpc3Mi[...omitted for brevity...].J9l-ZhwP[...omitted for brevity...]')
.then(function (user) {
console.log(user) //=> { accessToken: '...', tokenType: 'bearer', ... }
})
Requires an ES5 environment with global Promise
and Object.assign
.
Apache 2.0
FAQs
Straight-forward execution of OAuth 2.0 flows and authenticated API requests
The npm package client-oauth2 receives a total of 121,002 weekly downloads. As such, client-oauth2 popularity was classified as popular.
We found that client-oauth2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.