passport-http-bearer
passport-http-bearer copied to clipboard
OAuth 2.0 : Can't provide none user data to callback
Hey !
According to OAuth2.0 RFC we can use "access token" to authenticate a client with grant_type="client_credentials"
But passport-http-bearer
is only compatible with user authentication.
Expected behavior
- Can provide non user data in callback
- Can provide client data in callback
Actual behavior
- Can only provide user data in callback and it can't be set to
null
- Cannot provide client data in callback
Exemple
passport.use(new BearerStrategy(async (token, done) => {
try {
console.log("Authenticate Bearer",token);
var accessToken = await db.oauthAccessTokens.findOne({
token: token
})
.populate('user')
.populate('client');
if (!accessToken) throw new TokenAuthenticationError();
console.log("accessToken",accessToken);
if (accessToken.expires && Date.now() > accessToken.expires) throw new TokenExpiredError();
var scopes = [];
// Only authenticate USER HERE
if(accessToken.user){
Array.prototype.push.apply(scopes,await accessToken.user.getScopes());
return done(null,true , {
scopes: scopes,
});
}
// Only authenticate CLIENT HERE
if(accessToken.client) Array.prototype.push.apply(scopes,await accessToken.client.scopes);
return done(null,null , {
scopes: scopes,
client: client,
}); // "Unauthorized" because user field is set to null
} catch (err) {
done(err);
}
}));
Thanks for reporting! Totally off-topic: Is there a special reason why you call the Array methods that verbosely? Also if you have error messages related to the Actual behavior please add them, to help search engines find this issue.
Thanks for reporting! Totally off-topic: Is there a special reason why you call the Array methods that verbosely? Also if you have error messages related to the Actual behavior please add them, to help search engines find this issue.
I'm using Array.push.apply(arr1,arr2)
(according to : developer.mozilla) because using arr1.push.apply(arr1,arr2)
can be misunderstood.
I'm waiting for acknowledgement from the creator or other cause I want to be sure before adding this behavior and I don't know how to add this behavior without breaking current behaviors ...
Because I want to implement it the way we can use done()
callback as it :
// With user (without client)
done(null,user ,null {
scopes: scopes
});
// With client (without user)
done(null,null , client {
scopes: scopes
});
@axellebot +1, fwiw I think this is a great feature to add. (I'm also using this strategy solely for client_credentials
type grants.)