oauthjs
Implementing an authorization code grant flow
I can see that there is an implementation of an authorization grant flow in the repo (node-oauth2-server/lib/grant-types/authorization-code-grant-type.js), but I don't see it mentioned in the documentation other than this flow is "supported." I think this information should be documented, no?
Sorry if I'm missing something but I've been staring at this documentation for hours now and I'm no closer to implementing this flow.
Model functions that are required for the authorization code grant are listed here. What else do you need to know? I'm not trying to sound condescending, probably just know the module too well and forgot to put something important in the docs.
Would you like to implement an Oauth 2 server with Express.js? If yes, I recommend this wrapper https://github.com/oauthjs/express-oauth-server
A complete working Express example updated for v3 would be magic.
Wasting a lot of time trying to get an authorization code flow working.
I have all the right functions in the model
What am I supposed to do in the app.get('/oauth/authorize') express handler to get back the default system generated authorization code
I'm using express-oauth-server (as oauth), and calling oauth.authorize, because I dug through the code and it looks like I am supposed to, but it authorize-handler.handle() is calling getUser() which then calls authenticate-handler.handle(), which is looking for tokens and throwing errors.
The current Express example is incomplete - I have no idea what the view 'authorize' does, and how it results in an authorization code being generated
app.get('/oauth/authorize', function(req, res) {
// Redirect anonymous users to login page.
if (!req.app.locals.user) {
return res.redirect(util.format('/login?redirect=%s&client_id=%s&redirect_uri=%s', req.path, req.query.client_id, req.query.redirect_uri));
}
return render('authorize', {
client_id: req.query.client_id,
redirect_uri: req.query.redirect_uri
});
});
This is a bit frustrating as well. Calling app.oauth.authorize for access_token results in
invalid_request: Invalid request: malformed authorization header
I've never seen bearer token needed to get an access_token in the Authorization Grant Flow. Documentation on this is needed
Wrong Way
current password, refreshToken grant flow -> change to authorization code flow
app.all("/oauth/authorise", (req, res, next)=> {
const temp = res.send;
res.send = function() {
try {
const { access_token, ...rest } = JSON.parse(arguments["0"]);
if (access_token) {
const { state } = req.body;
const code = Math.random()
.toString(36)
.slice(-8);
arguments["0"] = JSON.stringify({ code, state });
redisHelper.saveTemp(code, { access_token, ...rest }, e => {
console.log("e: ", e);
});
}
} catch (e) {}
temp.apply(this, arguments);
};
next();
});
app.all(
"/oauth/authorise",
(req, res, next) => {
req.body = { ...req.body, ...req.session.user };
const { response_type, client_id, redirect_uri } = req.body;
if (response_type && client_id && redirect_uri) {
redisHelper.getApp(client_id, (e, app) => {
req.body = {
...req.body,
client_id: app.clientId,
client_secret: app.clientSecret,
grant_type: "password"
};
next();
});
}
},
app.oauth.grant()
);
@dbclkclk exactly..the aim of the authorization_code flow is to get grant code to get access token..but it already expects an access token to get a grant code. Then what's the whole point
@maxtruxa I think the implementation for authorization_code flow is not correct. The authentication should be against the User database (probably something like Basic auth), instead of expecting an access token. Check this: https://www.oauth.com/playground/authorization-code.html
I followed example https://github.com/14gasher/oauth-example/blob/master/auth/routes/auth.js and by setting
server.authorize({
authenticateHandler: {
handle: req => { return {userId: 1} }
}
})
I made it work with authorization code.
