passport-oauth2

What is passport-oauth2?

The `passport-oauth2` npm package is a strategy for the Passport authentication middleware that allows you to authenticate using OAuth 2.0. It is designed to be flexible and can be used with any OAuth 2.0 provider, making it a versatile tool for integrating third-party authentication into your Node.js applications.

What are passport-oauth2's main functionalities?

OAuth 2.0 Authentication

This feature allows you to set up OAuth 2.0 authentication with a specified provider. The code sample demonstrates how to configure the OAuth2Strategy with the necessary endpoints and client credentials, and how to handle the authentication callback.

const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2').Strategy;

passport.use(new OAuth2Strategy({
    authorizationURL: 'https://example.com/oauth2/authorize',
    tokenURL: 'https://example.com/oauth2/token',
    clientID: 'YOUR_CLIENT_ID',
    clientSecret: 'YOUR_CLIENT_SECRET',
    callbackURL: 'https://www.example.net/auth/example/callback'
  },
  function(accessToken, refreshToken, profile, cb) {
    User.findOrCreate({ exampleId: profile.id }, function (err, user) {
      return cb(err, user);
    });
  }
));

Custom Authorization Parameters

This feature allows you to add custom headers or parameters to the authorization request. The code sample shows how to include custom headers in the OAuth2Strategy configuration.

passport.use(new OAuth2Strategy({
    authorizationURL: 'https://example.com/oauth2/authorize',
    tokenURL: 'https://example.com/oauth2/token',
    clientID: 'YOUR_CLIENT_ID',
    clientSecret: 'YOUR_CLIENT_SECRET',
    callbackURL: 'https://www.example.net/auth/example/callback',
    customHeaders: { 'Authorization': 'Bearer YOUR_ACCESS_TOKEN' }
  },
  function(accessToken, refreshToken, profile, cb) {
    User.findOrCreate({ exampleId: profile.id }, function (err, user) {
      return cb(err, user);
    });
  }
));

Token Revocation

This feature allows you to revoke an OAuth 2.0 token. The code sample demonstrates how to send a POST request to the token revocation endpoint with the token to be revoked.

const request = require('request');

function revokeToken(token, done) {
  const options = {
    url: 'https://example.com/oauth2/revoke',
    form: { token: token }
  };
  request.post(options, function(err, response, body) {
    if (err) { return done(err); }
    done(null, body);
  });
}

Other packages similar to passport-oauth2

passport-google-oauth20

The `passport-google-oauth20` package is a Passport strategy for authenticating with Google using the OAuth 2.0 API. It is specifically tailored for Google authentication, making it easier to integrate Google login into your application. Unlike `passport-oauth2`, which is a general-purpose OAuth 2.0 strategy, `passport-google-oauth20` is specialized for Google.

passport-facebook

The `passport-facebook` package is a Passport strategy for authenticating with Facebook using the OAuth 2.0 API. It simplifies the process of integrating Facebook login into your application. Similar to `passport-google-oauth20`, it is specialized for Facebook authentication, whereas `passport-oauth2` is more generic.

passport-github

The `passport-github` package is a Passport strategy for authenticating with GitHub using the OAuth 2.0 API. It is designed specifically for GitHub authentication, making it easier to integrate GitHub login into your application. This package is specialized for GitHub, unlike `passport-oauth2`, which can be used with any OAuth 2.0 provider.

README

passport-oauth2

General-purpose OAuth 2.0 authentication strategy for Passport.

This module lets you authenticate using OAuth 2.0 in your Node.js applications. By plugging into Passport, OAuth 2.0-based sign in can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.

Note that this strategy provides generic OAuth 2.0 support. In many cases, a provider-specific strategy can be used instead, which cuts down on unnecessary configuration, and accommodates any provider-specific quirks. See the list for supported providers.

Developers who need to implement authentication against an OAuth 2.0 provider that is not already supported are encouraged to sub-class this strategy. If you choose to open source the new provider-specific strategy, please add it to the list so other people can find it.

:brain: Understanding OAuth 2.0 • :heart: Sponsors

---

^{Advertisement}
Learn OAuth 2.0 - Get started as an API Security Expert
Just imagine what could happen to YOUR professional career if you had skills in OAuth > 8500 satisfied students

---

...

Install

$ npm install passport-oauth2

Usage

Configure Strategy

The OAuth 2.0 authentication strategy authenticates users using a third-party account and OAuth 2.0 tokens. The provider's OAuth 2.0 endpoints, as well as the client identifer and secret, are specified as options. The strategy requires a verify callback, which receives an access token and profile, and calls cb providing a user.

passport.use(new OAuth2Strategy({
    authorizationURL: 'https://www.example.com/oauth2/authorize',
    tokenURL: 'https://www.example.com/oauth2/token',
    clientID: EXAMPLE_CLIENT_ID,
    clientSecret: EXAMPLE_CLIENT_SECRET,
    callbackURL: "http://localhost:3000/auth/example/callback"
  },
  function(accessToken, refreshToken, profile, cb) {
    User.findOrCreate({ exampleId: profile.id }, function (err, user) {
      return cb(err, user);
    });
  }
));

Authenticate Requests

Use passport.authenticate(), specifying the 'oauth2' strategy, to authenticate requests.

For example, as route middleware in an Express application:

app.get('/auth/example',
  passport.authenticate('oauth2'));

app.get('/auth/example/callback',
  passport.authenticate('oauth2', { failureRedirect: '/login' }),
  function(req, res) {
    // Successful authentication, redirect home.
    res.redirect('/');
  });

Related Modules

• passport-oauth1 — OAuth 1.0 authentication strategy
• passport-http-bearer — Bearer token authentication strategy for APIs
• OAuth2orize — OAuth 2.0 authorization server toolkit

Contributing

Tests

The test suite is located in the test/ directory. All new features are expected to have corresponding test cases. Ensure that the complete test suite passes by executing:

$ make test

Coverage

All new feature development is expected to have test coverage. Patches that increse test coverage are happily accepted. Coverage reports can be viewed by executing:

$ make test-cov
$ make view-cov

License

The MIT License

Copyright (c) 2011-2016 Jared Hanson <http://jaredhanson.net/>

Changelog

[1.8.0] - 2024-02-02

Fixed

• Fixed intermittent "Failed to obtain access token" error by updating oauth dependency from 0.9.x to 0.10.x. This error seems to occur more frequently on fast connections which get reset after receiving an access token response.