Simple OAuth2
Node.js client library for OAuth2.
OAuth2 lets users grant the access to the desired resources to third party applications, giving them the possibility to enable and disable those accesses whenever they want.
Simple OAuth2 supports the following flows.
- Authorization Code Flow (for apps with servers that can store persistent information).
- Password Credentials (when previous flow can't be used or during development).
- Client Credentials Flow (the client can request an access token using only its client credentials)
Thanks to Open Source
Simple OAuth 2.0 come to life thanks to the work I've made in Lelylan, an open source microservices architecture for the Internet of Things. If this project helped you in any way, think about giving us a star on Github.
Table of Contents
Requirements
The node client library is tested against the latest Node 8 LTS and newer versions.
To use in node 4, 5 or 6, please use simple-oauth2@1.x. Older node versions are unsupported.
Getting started
Installation
Install the client library using npm:
npm install --save simple-oauth2Options
Simple OAuth2 accepts an object with the following valid params.
-
client- required object with the following properties:id- Service registered client id. Required.secret- Service registered client secret. Required.secretParamName- Parameter name used to send the client secret. Default to client_secret.idParamName- Parameter name used to send the client id. Default to client_id.
-
auth- required object with the following properties.tokenHost- String used to set the host to request the tokens to. Required.tokenPath- String path to request an access token. Default to /oauth/token.revokePath- String path to revoke an access token. Default to /oauth/revoke.authorizeHost- String used to set the host to request an "authorization code". Default to the value set onauth.tokenHost.authorizePath- String path to request an authorization code. Default to /oauth/authorize.
-
httpoptional object used to set global options to the internal http library (wreck).- All options except baseUrl are allowed. Default to
headers.Accept = application/json.
- All options except baseUrl are allowed. Default to
-
optionsoptional object to setup the module.bodyFormat- Format of data sent in the request body. Valid options areformorjson. Defaults to form.authorizationMethod- Indicates the method used to send the client.id/client.secret authorization params at the token request. Valid options areheaderorbody. If set to body, the bodyFormat option will be used to format the credentials. Defaults to header.
// Set the configuration settingsconst credentials = client: id: '<client-id>' secret: '<client-secret>' auth: tokenHost: 'https://api.oauth.com' ; // Initialize the OAuth2 Libraryconst oauth2 = ;Example of Usage
See the example folder.
OAuth2 Supported flows
Authorization Code flow
The Authorization Code flow is made up from two parts. At first your application asks to the user the permission to access their data. If the user approves the OAuth2 server sends to the client an authorization code. In the second part, the client POST the authorization code along with its client secret to the oauth server in order to get the access token.
const oauth2 = ; // Authorization oauth2 URIconst authorizationUri = oauth2authorizationCode; // Redirect example using Express (see http://expressjs.com/api.html#res.redirect)res; // Get the access token object (the authorization code is given from the previous step).const tokenConfig = code: '<code>' redirect_uri: 'http://localhost:3000/callback' scope: '<scope>' // also can be an array of multiple scopes, ex. ['<scope1>, '<scope2>', '...']; // Save the access tokentry const result = await oauth2authorizationCode const accessToken = oauth2accessToken; catch error console; Password Credentials Flow
This flow is suitable when the resource owner has a trust relationship with the client, such as its computer operating system or a highly privileged application. Use this flow only when other flows are not viable or when you need a fast way to test your application.
const oauth2 = ; // Get the access token object.const tokenConfig = username: 'username' password: 'password' scope: '<scope>' // also can be an array of multiple scopes, ex. ['<scope1>, '<scope2>', '...']; // Save the access tokentry const result = await oauth2ownerPassword; const accessToken = oauth2accessToken; catch error console;Client Credentials Flow
This flow is suitable when client is requesting access to the protected resources under its control.
const oauth2 = ;const tokenConfig = scope: '<scope>' // also can be an array of multiple scopes, ex. ['<scope1>, '<scope2>', '...']; // Get the access token object for the clienttry const result = await oauth2clientCredentials; const accessToken = oauth2accessToken; catch error console;Helpers
Access Token object
When a token expires we need to refresh it. Simple OAuth2 offers the AccessToken class that add a couple of useful methods to refresh the access token when it is expired.
// Sample of a JSON access token (you got it through previous steps)const tokenObject = 'access_token': '<access-token>' 'refresh_token': '<refresh-token>' 'expires_in': '7200'; // Create the access token wrapperlet accessToken = oauth2accessToken; // Check if the token is expired. If expired it is refreshed.if accessToken try accessToken = await accessToken; catch error console; The expired helper is useful for knowing when a token has definitively
expired. However, there is a common race condition when tokens are near
expiring. If an OAuth 2.0 token is issued with a expires_in property (as
opposed to an expires_at property), there can be discrepancies between the
time the OAuth 2.0 server issues the access token and when it is received.
These come down to factors such as network and processing latency. This can be
worked around by preemptively refreshing the access token:
// Provide a window of time before the actual expiration to refresh the tokenconst EXPIRATION_WINDOW_IN_SECONDS = 300; const token = accessToken;const expirationTimeInSeconds = tokenexpires_at / 1000;const expirationWindowStart = expirationTimeInSeconds - EXPIRATION_WINDOW_IN_SECONDS; // If the start of the window has passed, refresh the tokenconst nowInSeconds = / 1000;const shouldRefresh = nowInSeconds >= expirationWindowStart;if shouldRefresh try accessToken = await accessToken; catch error console; When you've done with the token or you want to log out, you can revoke the access token and refresh token.
// Revoke both access and refresh tokenstry // Revoke only the access token await accessToken; // Session ended. But the refresh_token is still valid. // Revoke the refresh token await accessToken; catch error console;As a convenience method, you can also revoke both tokens in a single call:
// Revoke both access and refresh tokenstry // Revokes both tokens, refresh token is only revoked if the access_token is properly revoked await accessToken; catch error console;Errors
Errors are returned when a 4xx or 5xx status code is received.
BoomError
As a standard boom error you can access any of the boom error properties. The total amount of information varies according to the generated status code.
try await oauth2authorizationCode; catcherror console; // => {// "statusCode": 401,// "error": "Unauthorized",// "message": "invalid password"// }Contributing
See CONTRIBUTING
Authors
Contributors
Special thanks to the following people for submitting patches.
Changelog
See CHANGELOG
License
Simple OAuth 2.0 is licensed under the Apache License, Version 2.0