Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

loopback-component-oauth2

Package Overview
Dependencies
Maintainers
4
Versions
34
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

loopback-component-oauth2

OAuth 2.0 provider for LoopBack

  • 1.0.0
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
318
decreased by-30.11%
Maintainers
4
Weekly downloads
 
Created
Source

loopback-component-oauth2

The LoopBack oAuth 2.0 component provides full integration between OAuth 2.0 and LoopBack. It enables LoopBack applications to function as an oAuth 2.0 provider to authenticate and authorize client applications and/or resource owners (i.e. users) to access protected API endpoints.

The oAuth 2.0 protocol implementation is based on oauth2orize and passport.

Key building blocks

There are a few key building blocks in loopback-component-oauth2 to provide full oAuth 2.0 server-side capabilities:

  • Authorization server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

  • Resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

For authorization servers, loopback-component-oauth2 implements the oAuth 2.0 protocol endpoints, including authorization endpoint and token endpoint.

For resource servers, loopback-component-oauth2 provides middleware to protect api endpoints. Only those requests with valid oAuth 2.0 access tokens can be accepted. It also establishes identities such as client application id and user id for further access control and personalization.

loopback-component-oauth2 defines the following models to manage oAuth 2.0 metadata such as access tokens, authorization codes, clients (i.e, applications), and resource owners (i.e. users).

  • OAuthAccessToken (persisting access tokens)
  • OAuthAuthorizationCode (persisting authorization codes)

It also uses the user and application model from the loopback module:

  • User (managing resource owners)
  • Application (managing client applications)

loopback-oauth2

Usage

var oauth2 = require('loopback-component-oauth2');

var options = { 
  dataSource: app.dataSources.db, // Data source for oAuth2 metadata persistence
  loginPage: '/login', // The login page url
  loginPath: '/login' // The login form processing url
};

oauth2.oAuth2Provider(
  app, // The app instance
  options // The options
);

The app instance will be used to set up middleware and routes. The data source provides persistence for the oAuth 2.0 metadata models.

Server types

There are two option properties to indicate if you want to set up the oAuth 2.0 provider as an authorization server, a resource server, or both.

  • authorizationServer (boolean)
    • false: Do not set up the authorization server
    • otherwise: Set up the authorization server
  • resourceServer (boolean)
    • false: Do not set up the resource server
    • otherwise: Set up the resource server

Authorization server Options

The following options are available for an authorization server:

  • authorizePath (string or false)

    • a path to mount the authorization endpoint, default to GET '/oauth/authorize'
    • false: Do not set up the authorization endpoint
  • tokenPath (string or false)

    • a path to mount the token endpoint, default to POST '/oauth/token'
    • false: Do not set up the token endpoint
  • decisionPath (string or false)

    • a path to mount the decision endpoint, default to POST '/oauth/authorize/decision'
    • false: Do not set up the decision endpoint
  • decisionView (string)

    • a server-side view name to render the decision dialog. The input for the view is:
      • transactionId: An internal token to prevent forging
      • user: user/resource owner object
      • client: client application object
      • scope: oAuth 2.0 scope(s)
      • redirectURI: redirect uri after the decision is made
  • decisionPage (string)

    • a url to the decision dialog page. It will override decisionView. The query parameters are:
      • transactionId: An internal token to prevent forging
      • userId: user/resource owner id
      • clientId: client application id
      • scope: oAuth 2.0 scope(s)
      • redirectURI: redirect uri after the decision is made
  • loginPath (string or false)

    • a path to mount the user login endpoint, default to POST '/login'
    • false: Do not set up the user login endpoint
  • loginPage (string)

    • a url to the login dialog page, default to '/login'

Supported grant types

The supportedGrantTypes option controls what grant types should be enabled:

  • supportedGrantTypes (string[])
    • default to ['authorizationCode', 'implicit', 'clientCredentials', 'resourceOwnerPasswordCredentials', 'refreshToken', 'jwt'];

Custom functions for token generation

  • generateToken: function(options) returns a token string
  • getTTL: function(grantType, clientId, resourceOwner, scopes) returns a ttl number in seconds

Protect endpoints with oAuth 2.0

oauth2.authenticate(['/protected', '/api', '/me'], 
  {session: false, scope: 'email'});

Examples

This example demonstrates how to implement an OAuth service provider, complete with protected API access.

Keywords

FAQs

Package last updated on 15 Oct 2014

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc