Simple OAuth2
Node.js client library for Oauth2.
OAuth2 lets users grant the access to the desired resources to third party applications, giving them the possibility to enable and disable those accesses whenever they want.
Simple OAuth2 supports the following flows.
- Authorization Code Flow (for apps with servers that can store persistent information).
- Password Credentials (when previous flow can't be used or during development).
- Client Credentials Flow (the client can request an access token using only its client credentials)
Requirements
Node client library is tested against Node ~0.8.x
Installation
Install the client library using npm:
$ npm install simple-oauth2-promise
Install the client library using git:
$ git clone git://github.com/jonathansamines/simple-oauth2.git
$ cd simple-oauth2
$ npm install
Getting started
Express and Github example
var express = app = ; var oauth2 = clientID: CLIENT_ID clientSecret: CLIENT_SECRET site: 'https://github.com/login' tokenPath: '/oauth/access_token' authorizationPath: '/oauth/authorize'; // Authorization uri definitionvar authorization_uri = oauth2authCode; // Initial page redirecting to Githubapp; // Callback service parsing the authorization token and asking for the access tokenapp; app; app; console;
Credits to @lazybean
Authorization Code flow
The Authorization Code flow is made up from two parts. At first your application asks to the user the permission to access their data. If the user approves the OAuth2 server sends to the client an authorization code. In the second part, the client POST the authorization code along with its client secret to the Lelylan in order to get the access token.
// Set the client credentials and the OAuth2 servervar credentials = clientID: '<client-id>' clientSecret: '<client-secret>' site: 'https://api.oauth.com'; // Initialize the OAuth2 Libraryvar oauth2 = credentials; // Authorization oauth2 URIvar authorization_uri = oauth2authCode; // Redirect example using Express (see http://expressjs.com/api.html#res.redirect)res; // Get the access token object (the authorization code is given from the previous step).var token;oauth2authCode; // Save the access token { if error console; token = oauth2accessToken;});
Password Credentials Flow
This flow is suitable when the resource owner has a trust relationship with the client, such as its computer operating system or a highly privileged application. Use this flow only when other flows are not viable or when you need a fast way to test your application.
// Get the access token object.var token;oauth2password; // Save the access token { if error console; token = oauth2accessToken; oauth2;});
Client Credentials Flow
This flow is suitable when client is requesting access to the protected resources under its control.
// Get the access token object.var token;var credentials = clientID: '<client-id>' clientSecret: '<client-secret>' site: 'https://api.oauth.com'; // Initialize the OAuth2 Libraryvar oauth2 = credentials; // Get the access token object for the clientoauth2client; // Save the access token { if error console; token = oauth2accessToken;});
Access Token object
When a token expires we need to refresh it. Simple OAuth2 offers the AccessToken class that add a couple of useful methods to refresh the access token when it is expired.
// Sample of a JSON access token (you got it through previous steps)var token = 'access_token': '<access-token>' 'refresh_token': '<refresh-token>' 'expires_in': '7200'; // Create the access token wrappervar token = oauth2accessToken; // Check if the token is expired. If expired it is refreshed.if token token
When you've done with the token or you want to log out, you can revoke the access token and refresh token.
// Revoke only the access tokentoken;
Errors
Exceptions are raised when a 4xx or 5xx status code is returned.
HTTPError
Through the error message attribute you can access the JSON representation
based on HTTP status
and error message
.
oauth2authCode;// => { "status": "401", "message": "Unauthorized" }
Configurations
Simple OAuth2 accepts an object with the following valid params.
clientID
- Required registered Client ID.clientSecret
- Required registered Client secret.site
- Required OAuth2 server site.authorizationPath
- Authorization path for the OAuth2 server. Defaults to/oauth/authorize
.tokenPath
- Access token path for the OAuth2 server. Defaults to/oauth/token
.revocationPath
- Revocation token path for the OAuth2 server. Defaults to/oauth/revoke
.useBasicAuthorizationHeader
- Whether or not theAuthorization: Basic ...
header is set on the request. Defaults totrue
.clientSecretParameterName
- Parameter name for the client secret. Defaults toclient_secret
.
// Set the configuration settingsvar credentials = clientID: '<client-id>' clientSecret: '<client-secret>' site: 'https://www.oauth2.com' authorizationPath: '/oauth2/authorization' tokenPath: '/oauth2/access_token' revocationPath: '/oauth2/revoke'; // Initialize the OAuth2 Libraryvar oauth2 = credentials;
Contributing
Fork the repo on github and send a pull requests with topic branches. Do not forget to provide specs to your contribution.
Running specs
- Fork and clone the repository (
dev
branch). - Run
npm install
for dependencies. - Run
make test
to execute all specs. - Run
make test-watch
to auto execute all specs when a file change.
Coding guidelines
Follow github guidelines.
Feedback
Use the issue tracker for bugs.
Authors
Contributors
Changelog
See CHANGELOG
Copyright
Copyright (c) 2013 Lelylan.
This project is released under the MIT License.