Nutty Penguin Music


    0.0.3 • Public • Published


    Provide a base class for OAuth2 Provider

    Supported Grant Types

    1. authorization code
    2. implicit
    3. user password
    4. client password


    Assume that you already instantiate a provider from my base class, you need to listen the following 3 paths from you app

      app.get "/dialog/authorize"provider.authorization() "/dialog/authorize/decision"provider.decision() "/oauth/token"provider.token()

    For protected resource, you need to add a passport middleware to make sure bearer tokens are checked before your api processes

      api.use '/'passport.authenticate "bearer"session:false

    Note: your path names can be different; however, I will use the above names in this guide.

    How to use

    Client Password

    Client Password grant type is used when the consumer need to make API calls to protected resources as an application, not as a resource owner. It's useful to get total online users for example (which not related to any particular user).

    To use client password grant types, the consumer code need to do a POST to {hostname}/oauth/token

      body = {
        grant_type: 'client_credentials'
        client_id: client.clientId
        client_secret: client.clientSecret
        scope: '*'
   '{hostname}/oauth/token'{json:truebody}(err, res, code)->
        res.statusCode.should.equal 200'string'
        code.token_type.should.equal 'Bearer'

    The consumer should receive a json object with the following format:

        "token_type": "Bearer",
        "access_token": "<your access token>"

    From now on, your consumer can call protected resource by adding a header in each request

      Authorization: Bearer <your access token>

    Note: It's important to set json:true because the endpoint expects an application/json request content-type.

    How it works:

    1. validation step

    When a POST to /oauth/token is made, provider will verify your client credentials by calling provider.validateClient(clientId, clientSecret, done) which will asynchronously return the client object or false depend on the input's validity via done (which is an err-first node-style callback).

    2. token issue step

    If valid, that request will login with the given client and call next middleware, where an access token is actually issued. In this step, provider.exchangeClientCredentialsForToken(client, scope, done) is called with client with scope is the requesting scope. You will have to asynchronously return a new token as a string via done (which is also an err-first node-style callback).


    npm i t-oauth2-provider

    DownloadsWeekly Downloads






    Last publish


    • tungv