node-oauth2-server
Advanced tools
Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
npm install oauth2-server
The module provides two middlewares, one for authorization and routing, another for error handling, use them as you would any other middleware:
var express = require('express'),
bodyParser = require('body-parser'),
oauthserver = require('oauth2-server');
var app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.oauth = oauthserver({
model: {}, // See below for specification
grants: ['password'],
debug: true
});
app.all('/oauth/token', app.oauth.grant());
app.get('/', app.oauth.authorise(), function (req, res) {
res.send('Secret area');
});
app.use(app.oauth.errorHandler());
app.listen(3000);
After running with node, visting http://127.0.0.1:3000 should present you with a json response saying your access token could not be found.
Note: As no model was actually implemented here, delving any deeper, i.e. passing an access token, will just cause a server error. See below for the specification of what's required from the model.
password and refresh_token[]true errors will be logged to console. You may also pass a custom function, in which case that function will be called with the error as its first argumentfalsenull, tokens will considered to never expire3600null, tokens will considered to never expire120960030client_id structures, change as needed/^[a-z0-9-_]{3,40}$/inext will be called even if a response has been sent (you probably don't want this)The module requires a model object through which some aspects or storage, retrieval and custom validation are abstracted. The last parameter of all methods is a callback of which the first parameter is always used to indicate an error.
Note: see https://github.com/thomseddon/node-oauth2-server/tree/master/examples/postgresql for a full model example using postgres.
null to indicate the token never expiresuser key exists, this is saved as req.useruserId key must exist, which is saved in req.user.idreq.clientauthorization_code grant type only)authorization_code grant typeuser to the codeGrant function (see example)password grant typereq.userrefresh_token grant typenull to indicate the token never expiresThe spec does not actually require that you revoke the old token - hence this is optional (Last paragraph: http://tools.ietf.org/html/rfc6749#section-6)
req.userclient_credentials grant typereq.useraccessToken or refreshTokenYou can support extension/custom grants by implementing the extendedGrant method as outlined above.
Any grant type that is a valid URI will be passed to it for you to handle (as defined in the spec).
You can access the grant type via the first argument and you should pass back supported as false if you do not support it to ensure a consistent (and compliant) response.
password grant typeFirst you must insert client id/secret and user into storage. This is out of the scope of this example.
To obtain a token you should POST to /oauth/token. You should include your client credentials in
the Authorization header ("Basic " + client_id:client_secret base64'd), and then grant_type ("password"),
username and password in the request body, for example:
POST /oauth/token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
This will then call the following on your model (in this order):
Provided there weren't any errors, this will return the following (excluding the refresh_token if you've not enabled the refresh_token grant type):
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
See: https://github.com/thomseddon/node-oauth2-server/blob/master/Changelog.md
Copyright (c) 2013 Thom Seddon
2.4.0
Set Cache-Control and Pragma headers
Allow any valid URI for extension grants
Expose client to extendedGrant and after via req.oauth.client
Fix express depreciation warning for res.send()
Expose user to generateToken and after via req.user
Fix lockdown pattern for express 3
Add redis example
Fix docs to use new express bodyParser module
Fix docs for redirect_uri
Clarify docs for clientIdRegex
Fix docs for missing req argument in generateToken
Fix docs for user/userId getAccessToken
Fix docs for argument order in getRefreshToken
FAQs
Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
The npm package node-oauth2-server receives a total of 1,211 weekly downloads. As such, node-oauth2-server popularity was classified as popular.
We found that node-oauth2-server demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.