Grant
23andme
| 500px
| acton
| acuityscheduling
| aha
| amazon
| angellist
| asana
| assembla
| auth0
| authentiq
| axosoft
| baidu
| basecamp
| battlenet
| beatport
| bitbucket
| bitly
| box
| buffer
| campaignmonitor
| cheddar
| clio
| coinbase
| concur
| constantcontact
| coursera
| dailymile
| dailymotion
| deezer
| delivery
| deputy
| deviantart
| digitalocean
| discogs
| discord
| disqus
| docusign
| dribbble
| dropbox
| ebay
| echosign
| ecwid
| edmodo
| egnyte
| etsy
| eventbrite
| evernote
| everyplay
| eyeem
| facebook
| familysearch
| feedly
| fitbit
| flattr
| flickr
| flowdock
| fluidsurveys
| formstack
| foursquare
| freeagent
| freshbooks
| geeklist
| genius
| getbase
| getpocket
| gitbook
| github
| gitlab
| gitter
| goodreads
| google
| groove
| gumroad
| harvest
| hellosign
| heroku
| homeaway
| iconfinder
| idme
| idonethis
| imgur
| infusionsoft
| instagram
| intuit
| jamendo
| jawbone
| jumplead
| kakao
| letsfreckle
| linkedin
| live
| lyft
| mailchimp
| mailup
| mapmyfitness
| medium
| meetup
| microsoft
| mixcloud
| mixer
| moves
| moxtra
| mydigipass
| myob
| nylas
| openstreetmap
| optimizely
| patreon
| paypal
| pinterest
| plurk
| podio
| producteev
| producthunt
| projectplace
| pushbullet
| ravelry
| redbooth
| reddit
| runkeeper
| salesforce
| shoeboxed
| shopify
| skyrock
| slack
| slice
| smartsheet
| smugmug
| socialpilot
| socrata
| soundcloud
| spotify
| square
| stackexchange
| stocktwits
| stormz
| strava
| stripe
| surveygizmo
| surveymonkey
| thingiverse
| ticketbud
| timelyapp
| todoist
| trakt
| traxo
| trello
| tripit
| tumblr
| twitch
| twitter
| uber
| underarmour
| unsplash
| upwork
| uservoice
| vend
| venmo
| verticalresponse
| viadeo
| vimeo
| visualstudio
| vk
| weekdone
| weibo
| withings
| wordpress
| wrike
| xero
| xing
| yahoo
| yammer
| yandex
| zendesk
Table of Contents
Express
npm install grant-express
var express = require('express')
var session = require('express-session')
var grant = require('grant-express')
var app = express()
app.use(session({secret: 'grant'}))
app.use(grant({}))
Koa
npm install grant-koa
var Koa = require('koa')
var session = require('koa-session')
var mount = require('koa-mount')
var grant = require('grant-koa')
var app = new Koa()
app.keys = ['grant']
app.use(session(app))
app.use(mount(grant({})))
Hapi
npm install grant-hapi
var Hapi = require('hapi')
var yar = require('yar')
var grant = require('grant-hapi')
var server = new Hapi.Server()
server.register([
{plugin: yar, options: {cookieOptions: {password: 'grant', isSecure: false}}},
{plugin: grant(), options: {}}
])
Alternative Require
Alternatively you can require Grant directly (each pair is identical):
var Grant = require('grant-express')
var Grant = require('grant').express()
var Grant = require('grant-koa')
var Grant = require('grant').koa()
var Grant = require('grant-hapi')
var Grant = require('grant').hapi()
Path Prefix
You can mount Grant under specific path prefix:
app.use('/path/prefix', grant({config}))
app.use(mount('/path/prefix', grant({config})))
server.register([{plugin: grant({config}), routes: {prefix: '/path/prefix'}}])
In this case it is required to specify the path prefix using the path
configuration option for the server key:
{
"server": {
"protocol": "...",
"host": "...",
"path": "/path/prefix"
}
}
Lastly that path prefix should be specified in your OAuth application's redirect URL as well:
[protocol]://[host][path]/connect/[provider]/callback
In case you want your callback routes prefixed, set them accordingly:
{
"facebook": {
"callback": "/path/prefix/handle_facebook_callback"
}
}
Reserved Routes
/connect/:provider/:override?
/connect/:provider/callback
Configuration
{
"server": {
"protocol": "http",
"host": "localhost:3000",
"callback": "/callback",
"transport": "session",
"state": true
},
"provider1": {
"key": "...",
"secret": "...",
"scope": ["scope1", "scope2", ...],
"callback": "/provider1/callback"
},
"provider2": {...},
...
}
- server - configuration about your server
- protocol - either
http
or https
- host - your server's host name
localhost:3000
| dummy.com:5000
| mysite.com
... - path - path prefix to use for the Grant middleware (defaults to empty string if omitted)
- callback - common callback route for all providers in your config
/callback
| /done
... - transport - transport to use to deliver the response data in your final callback route
querystring
| session
(defaults to querystring if omitted) - state - generate random state string on each authorization attempt
true
| false
(OAuth2 only, defaults to false if omitted)
- provider1 - any supported provider
facebook
| twitter
...
- key -
consumer_key
or client_id
of your OAuth app - secret -
consumer_secret
or client_secret
of your OAuth app - scope - array of OAuth scopes to request
- callback - specific callback route to use for this provider (overrides the global one specified under the
server
key) - custom_params - custom authorization parameters (see the Custom Parameters section)
(additionally any of the reserved keys can be overriden for a provider)
Redirect URL
For redirect
URL of your OAuth application you should always use this format:
[protocol]://[host]/connect/[provider]/callback
Where protocol
and host
should match the ones from which you initiate the OAuth flow, and provider
is the provider's name from the list of supported providers.
This redirect
URL is used internally by Grant. You will receive the response data from the OAuth flow inside the route specified in the callback
key of your Grant configuration.
See the Path Prefix section on how to configure the redirect URL when using the path
configuration option.
Static Overrides
You can add arbitrary {object}
keys inside your provider's configuration to create sub configurations that override the global settings for that provider:
"facebook": {
"key": "...",
"secret": "...",
"scope": ["publish_actions", "publish_stream"],
"callback": "/facebook/callback",
"groups": {
"scope": ["user_groups", "friends_groups"]
},
"pages": {
"scope": ["manage_pages"],
"callback": "/facebook_pages/callback"
}
}
(the custom key names cannot be one of the reserved keys)
Dynamic Override
Additionally you can make a POST
request to the /connect/:provider/:override?
route to override your provider's configuration dynamically on each request:
<form action="/connect/facebook" method="post" accept-charset="utf-8">
<input name="state" type="text" value="" />
<input name="scope" type="checkbox" value="user_groups" />
<input name="scope" type="checkbox" value="manage_pages" />
<button>submit</button>
</form>
Keep in mind that in this case you'll have to mount the body-parser
middleware for Express and Koa before mounting Grant:
var parser = require('body-parser')
app.use(parser.urlencoded({extended: true}))
app.use(grant({config}))
var parser = require('koa-bodyparser')
app.use(parser())
app.use(mount(grant({config})))
Alternatively you can make a GET
request to the /connect/:provider/:override?
route:
https:
Custom Parameters
Some providers may employ custom authorization parameters outside of the specified ones in the configuration section. You can pass those custom parameters using the custom_params
option:
"google": {
"custom_params": {"access_type": "offline"}
},
"reddit": {
"custom_params": {"duration": "permanent"}
},
"trello": {
"custom_params": {"name": "my app", "expiration": "never"}
}
Additionally any custom parameter that is not a reserved key, and is listed under the custom_parameters
array for that provider, can be defined along with the rest of the options.
Refer to the provider's OAuth documentation, and the Grant's OAuth configuration (search for custom_parameters
).
Custom Providers
In case you have a private OAuth provider that you don't want to be part of the officially supported ones, you can define it in your configuration by adding a custom key for it.
In this case you have to specify all of the required provider keys by yourself:
{
"server": {
"protocol": "https",
"host": "mywebsite.com"
},
"mywebsite": {
"authorize_url": "https://mywebsite.com/authorize",
"access_url": "https://mywebsite.com/token",
"oauth": 2,
"key": "[CLIENT_ID]",
"secret": "[CLIENT_SECRET]",
"scope": ["read", "write"]
}
}
Refer to the Grant's OAuth configuration to see how various providers are configured.
Development Environments
You can easily configure different development environments:
{
"development": {
"server": {"protocol": "http", "host": "dummy.com:3000"},
"facebook": {
"key": "development OAuth app credentials",
"secret": "development OAuth app credentials"
},
"twitter": {...}, ...
},
"staging": {
"server": {"protocol": "https", "host": "staging.mywebsite.com"},
"facebook": {
"key": "staging OAuth app credentials",
"secret": "staging OAuth app credentials"
},
"twitter": {...}, ...
},
"production": {
"server": {"protocol": "https", "host": "mywebsite.com"},
"facebook": {
"key": "production OAuth app credentials",
"secret": "production OAuth app credentials"
},
"twitter": {...}, ...
}
}
Then you can pass the environment flag:
NODE_ENV=production node app.js
And use it in your application:
var config = require('./config.json')
var grant = new Grant(config[process.env.NODE_ENV || 'development'])
Programmatic Access
Once you initialize a new instance of Grant:
var grant = new Grant(require('./config'))
You get a special config
property attached to that instance. It contains the generated configuration data for all of the providers defined in your config file.
In case of dynamic access to a non pre-configured provider, it is automatically added to the config
list on first access to the /connect/:provider
route.
Sandbox Redirect URI
Very rarely you may need to override the default redirect_uri
that Grant generates for you.
For example Feedly supports only http://localhost
as redirect URL of their Sandbox OAuth application, and it won't allow the http://localhost/connect/feedly/callback
path:
"feedly": {
"redirect_uri": "http://localhost"
}
In case you override the redirect_uri
in your config, you'll have to redirect the user to the [protocol]://[host]/connect/[provider]/callback
route that Grant uses to execute the last step of the OAuth flow:
var qs = require('querystring')
app.get('/', (req, res) => {
if (process.env.NODE_ENV === 'development' &&
req.session.grant &&
req.session.grant.provider === 'feedly' &&
req.query.code
) {
res.redirect('/connect/' + req.session.grant.provider + '/callback?'
+ qs.stringify(req.query))
}
})
After that you will receive the Response Data from the OAuth flow inside the route specified in the callback
key of your configuration.
Quirks
Subdomain
Some providers require you to set your company name or server region as subdomain in the OAuth URLs. You can set that value through the subdomain
option:
"shopify": {
"subdomain": "mycompany"
},
"battlenet": {
"subdomain": "us"
}
Then Grant will generate the correct OAuth URLs:
"shopify": {
"authorize_url": "https://mycompany.myshopify.com/admin/oauth/authorize",
"access_url": "https://mycompany.myshopify.com/admin/oauth/access_token"
},
"battlenet": {
"authorize_url": "https://us.battle.net/oauth/authorize",
"access_url": "https://us.battle.net/oauth/token"
}
Alternatively you can override the entire request_url
, authorize_url
and access_url
in your configuration.
Sandbox URLs
Some providers may have sandbox URLs for testing. To use them just override the entire request_url
, authorize_url
and access_url
in your configuration (notice the sandbox
bits):
"paypal": {
"authorize_url": "https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize",
"access_url": "https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice"
},
"evernote": {
"request_url": "https://sandbox.evernote.com/oauth",
"authorize_url": "https://sandbox.evernote.com/OAuth.action",
"access_url": "https://sandbox.evernote.com/oauth"
}
Ebay
Set the redirect URL of your OAuth app as usual [protocol]://[host]/connect/ebay/callback
. Then Ebay will generate a special string called RuName (eBay Redirect URL name) that you need to set as redirect_uri
in Grant:
"ebay": {
"redirect_uri": "[RUNAME]"
}
Flickr, Optimizely
Flickr uses a custom authorization parameter to pass its scopes called perms
, and Optimizely uses scopes
. However you should use the regular scope
option in your configuration:
"flickr": {
"scope": ["write"]
}
"optimizely": {
"scope": ["all"]
}
SurveyMonkey
Set your Mashery user name as key
and your application key as api_key
:
"surveymonkey": {
"key": "[MASHERY_USER_NAME]",
"secret": "[CLIENT_SECRET]",
"api_key": "[CLIENT_ID]"
}
Fitbit, LinkedIn, ProjectPlace
Initially these providers supported only OAuth1, so the fitbit
and linkedin
names are used for that. To use their OAuth2 flow append 2
at the end of their names:
"fitbit2": {
},
"linkedin2": {
},
"projectplace2": {
}
VisualStudio
Set your Client Secret as secret
not the App Secret:
"visualstudio": {
"key": "[APP_ID]",
"secret": "[CLIENT_SECRET not APP_SECRET]"
}
Response Data
The OAuth response data is returned as querystring in your final callback - the one you specify in the callback
key of your Grant configuration.
Alternatively the response data can be returned inside the session, see the configuration section above and the session transport example.
OAuth1
For OAuth1 the access_token
and the access_secret
are accessible directly, raw
contains the raw response data:
{
access_token: '...',
access_secret: '...',
raw: {
oauth_token: '...',
oauth_token_secret: '...',
some: 'other data'
}
}
OAuth2
For OAuth2 the access_token
and the refresh_token
(if present) are accessible directly, raw
contains the raw response data:
{
access_token: '...',
refresh_token: '...',
raw: {
access_token: '...',
refresh_token: '...',
some: 'other data'
}
}
Error
In case of an error, the error
key will be populated with the raw error data:
{
error: {
some: 'error data'
}
}
Typical Flow
- Register OAuth application on your provider's web site.
- For
redirect
URL of your OAuth application always use this format:
[protocol]://[host]/connect/[provider]/callback
- Create
config.json
file containing:
"server": {
"protocol": "https",
"host": "mywebsite.com"
},
"facebook": {
"key": "[CLIENT_ID]",
"secret": "[CLIENT_SECRET]",
"callback": "/handle_facebook_callback"
},
"twitter": {
"key": "[CONSUMER_KEY]",
"secret": "[CONSUMER_SECRET]",
"callback": "/handle_twitter_callback"
}
- Initialize Grant and mount it:
var express = require('express')
var session = require('express-session')
var grant = require('grant-express')
express()
.use(session({secret: 'grant'}))
.use(grant(require('./config.json')))
- Navigate to
/connect/facebook
to initiate the OAuth flow for Facebook, or navigate to /connect/twitter
to initiate the OAuth flow for Twitter. - Once the OAuth flow is completed you will receive the response data in the
/handle_facebook_callback
route for Facebook, and in the /handle_twitter_callback
route for Twitter.
(also take a look at the examples)
Get User Profile
Once you have your access tokens secured, you can start making authorized requests on behalf of your users. Purest is a generic REST API client library that supports hundreds of REST API providers.
For example, you may want to get the user's profile after the OAuth flow has completed:
var request = require('request')
var purest = require('purest')({request})
var config = require('@purest/config')
var facebook = purest({provider: 'facebook', config})
var twitter = purest({provider: 'twitter', config,
key: '[CONSUMER_KEY]', secret: '[CONSUMER_SECRET]'
})
facebook
.get('me')
.auth('[ACCESS_TOKEN]')
.request((err, res, body) => {
})
twitter
.get('users/show')
.qs({screen_name: 'nodejs'})
.auth('[ACCESS_TOKEN]', '[ACCESS_SECRET]')
.request((err, res, body) => {
})