Passport OAuth 2.0 Refresh
An add-on to the Passport authentication library to provide a simple way to refresh your OAuth 2.0 access tokens.
Installation
npm install passport-oauth2-refresh --save
Usage
When setting up your passport strategies, add a call to refresh.use()
after passport.use()
.
An example, using the Facebook strategy:
var passport = require('passport'),
, refresh = require('passport-oauth2-refresh')
, FacebookStrategy = require('passport-facebook').Strategy;
var strategy = new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: "http://www.example.com/auth/facebook/callback"
},
function(accessToken, refreshToken, profile, done) {
User.findOrCreate(..., function(err, user) {
if (err) { return done(err); }
done(null, user);
});
});
passport.use(strategy);
refresh.use(strategy);
When you need to refresh the access token, call requestNewAccessToken()
:
var refresh = require('passport-oauth2-refresh');
refresh.requestNewAccessToken('facebook', 'some_refresh_token', function(err, accessToken, refreshToken) {
});
Specific name
Instead of using the default strategy.name
, you can setup passport-oauth2-refresh
to use an specific name instead.
passport.use('gmail', googleStrategy);
refresh.requestNewAccessToken('gmail', 'some_refresh_token', done);
This can be useful if you'd like to reuse strategy objects but under a different name.
Additional parameters
Some endpoints require additional parameters to be sent when requesting a new access token. To send these parameters, specify the parameters when calling requestNewAccessToken
as follows:
var extraParams = { some: 'extra_param' };
refresh.requestNewAccessToken('gmail', 'some_refresh_token', extraParams, done);
Examples
- See issue #1 for an example of how to refresh a token when requesting data from the Google APIs.
Why?
Passport is a library which doesn't deal in implementation-specific details. From the author:
Passport is a library for authenticating requests, and only that. It is not going to get involved in anything that is specific to OAuth, or any other authorization protocol.
Fair enough. Hence, this add-on was born as a way to help deal with refreshing OAuth 2.0 tokens.
It is particularly useful when dealing with Google's OAuth 2.0 implementation, which expires access tokens after 1 hour.
License
MIT