Correct way to access the "request" object during "token endpoint".

[jhnferraris]

I want to access the request object of the token endpoint so that I'll know the request headers accessing it.

As shown in this section:

app.post('/token',
  passport.authenticate(['basic', 'oauth2-client-password'], { session: false }),
  server.token(),
  server.errorHandler());

I understand that the server.token() part returns the access tokens in the response of the POST /token endpoint.

So I tweaked that part to in order for me to access the request object which got me here:

app.post("/token", 
     passport.authenticate(['basic', 'oauth2-client-password'], { session: false }), (request, response) => {
   // Now where to implement this?
  // server.token();
  console.log(request.headers);
  response.status(200).json({access_token: 'asfdasfd', expires_at: 'asdfasdf', token_type: 'asdfasdf'});
});

I can access the request headers but now I cannot get the right tokens. Is there anyway to implement this correctly?

thanks

[jaredhanson]

What headers do you need access to and why?

Sent from my iPhone

On Sep 7, 2016, at 11:20 PM, John Michael Ferraris [email protected] wrote:

I want to access the request object of the token endpoint so that I'll know the request headers accessing it.

As shown in this section:

app.post('/token', passport.authenticate(['basic', 'oauth2-client-password'], { session: false }), server.token(), server.errorHandler()); I understand that the server.token() part returns the access tokens in the response of the POST /token endpoint.

So I tweaked that part to in order for me to access the request object which got me here:

app.post("/token", passport.authenticate(['basic', 'oauth2-client-password'], { session: false }), (request, response) => { // Now where to implement this? // server.token(); console.log(request.headers); response.status(200).json({access_token: 'asfdasfd', expires_at: 'asdfasdf', token_type: 'asdfasdf'}); }); I can access the request headers but now I cannot get the right tokens. Is there anyway to implement this correctly?

thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ksmithut]

I have a use case to accessing the request as well. We have a multitenant application, and we get the connection to the tenant's database per request, so the database connection lives on the request object. So in order to search for clients or tokens, I need req.model('Client').findOne(). I was almost not going to be able to use passport for this reason, but there's the passReqToCallback option which makes this feasible. Might be an edge case that shouldn't be supported, just thought I'd plug in my use case.

[jaredhanson]

Taking model data onto a request is probably not a pattern that I would be encouraging. As a workaround, req.authInfo gets passed to the exchanges. You could use this to marshal things across, like so:

app.post('/oauth2/token',
  passport.authenticate(['basic', 'oauth2-client-password'], { session: false }),
  function(req, res, next) {
    req.authInfo.model = req.model;
    next();
  }
  server.token(),
  server.errorHandler()
)

Again, that's definately not the intent and purpose behind this, but it should work as a workaround.

[ksmithut]

Agreed, it's been kind of a pain having it in the request. It does seem more "functional", and makes it easier to maintain a single-tenant and multi-tenant codebase in the same place when you do database-level multitenancy, but has its own share of issues and tradeoffs. I'm okay with the current set of functionality without extension to support these edge cases.

[PinkaminaDianePie]

it was very painfull to fid way to pass request object to oauth2orize.exchange.password. it will be better to have this option by default, instead of writing workarounds such as

    (req, res, next) => {
        req.authInfo.req = req;
        next();
    },

after hour of digging in code and googling

[jaredhanson]

Can people posting here please provide descriptions of what data is in the request that is needed (and missing) in what is currently passed to grants and exchanges? Understanding use cases helps implement the best solution. Thanks.

[PinkaminaDianePie]

for example i need to know user's ip, cause some customers want to grant access for their users only if their ip in whitelist. so i need access to request ip.

best solution is simple provide request for password method. you can not know all cases of all people and support them at once, so just pass request and let people do what they need.

[kirrg001]

+1

[tanansatpal]

+1

[drywet]

+1

[drywet]

+1. I need to access user entity requested from DB after sever.token() to use it on response 'finish' event.

[hromanko]

+1. I need to access the client IP (and the x-forwarded header, etc)

[jadidian]

+1 I'd like to access Accept-Language header in request in order to send back proper i18n "invalid username or password" messages...

[tomniemiller]

This has been addressed with passReqToCallback as shown in http://www.passportjs.org/docs/authorize/

[khateebf13]

+1 i'd like to save some user-info from headers right after successful grant (password exchange), @jaredhanson How would that possible. Basically i want to access request headers after login success.

[2coo]

+1

[mdumanoj]

+1 I have local login and social login for my app. So once user successfully logged in via any social account I want to set req.session.passport object so that user will not be redirected to login page again when calling authorize endpoint.