passport-http-bearer icon indicating copy to clipboard operation
passport-http-bearer copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

OAuth 2.0 : Can't provide none user data to callback

Open axellebot opened this issue 5 years ago • 3 comments

Hey !

According to OAuth2.0 RFC we can use "access token" to authenticate a client with grant_type="client_credentials" But passport-http-bearer is only compatible with user authentication.

Expected behavior

  • Can provide non user data in callback
  • Can provide client data in callback

Actual behavior

  • Can only provide user data in callback and it can't be set to null
  • Cannot provide client data in callback

Exemple

passport.use(new BearerStrategy(async (token, done) => {
  try {
    console.log("Authenticate Bearer",token);
    var accessToken = await db.oauthAccessTokens.findOne({
        token: token
      })
      .populate('user')
      .populate('client');

    
    if (!accessToken) throw new TokenAuthenticationError();
    console.log("accessToken",accessToken);
    if (accessToken.expires && Date.now() > accessToken.expires) throw new TokenExpiredError();
    
    var scopes = [];

    // Only authenticate USER HERE
    if(accessToken.user){
       Array.prototype.push.apply(scopes,await accessToken.user.getScopes());
       return done(null,true , {
         scopes: scopes,
       });
    }

    // Only authenticate CLIENT HERE
    if(accessToken.client) Array.prototype.push.apply(scopes,await accessToken.client.scopes);
    return done(null,null , {
         scopes: scopes,
         client: client,
    }); // "Unauthorized" because user field is set to null
    
  } catch (err) {
    done(err);
  }
}));

axellebot avatar Jan 06 '19 20:01 axellebot

Thanks for reporting! Totally off-topic: Is there a special reason why you call the Array methods that verbosely? Also if you have error messages related to the Actual behavior please add them, to help search engines find this issue.

mk-pmb avatar Jan 07 '19 22:01 mk-pmb

Thanks for reporting! Totally off-topic: Is there a special reason why you call the Array methods that verbosely? Also if you have error messages related to the Actual behavior please add them, to help search engines find this issue.

I'm using Array.push.apply(arr1,arr2) (according to : developer.mozilla) because using arr1.push.apply(arr1,arr2) can be misunderstood.

I'm waiting for acknowledgement from the creator or other cause I want to be sure before adding this behavior and I don't know how to add this behavior without breaking current behaviors ...

Because I want to implement it the way we can use done() callback as it :

// With user (without client)
done(null,user ,null {
         scopes: scopes
         });

// With client (without user)
done(null,null , client {
         scopes: scopes
         });

axellebot avatar Jan 08 '19 12:01 axellebot

@axellebot +1, fwiw I think this is a great feature to add. (I'm also using this strategy solely for client_credentials type grants.)

dmitrizagidulin avatar Sep 18 '20 18:09 dmitrizagidulin