14gasher / oauth-example Goto Github PK

I'm trying to test the demo to understand the flow - the /oauth form submission passes values into the server but the server process never resolves and the redirect to /oauth/authorize eventually times out. This is the final output of the dev server:

All but 3 of the included tests are also failing due to timeouts or 400s.

Any help would be appreciated!

To better understand how all of this stuff connects together, include sqlite to demonstrate how the db relates. This will allow us to demonstrate bad clients / users.

Authentication is not supported out of the box with OAuth library.

The flow needs to look like this:

1. Client redirects user to auth server
2. Authentication
   a. If user enters false information, server kicks them back to the form
   b. Otherwise, server passes request on to authenticate middleware
3. Continue as normal

Let's implement this as a middleware looking approximately like this:

const checkIfValid = (req,res,next) => {
  if(validUser) return next()
  return formWithBadInfoErrorInQueryParams
}
router.post('/fromAuthForm', checkIfValid, oauthJunk)

I solved the bugs in your code according to the new latest version. how to give push requests to your repo.

When creating this server, I had an issue with token creation when calling getAuthorizationCode where my console would say something along the lines of "InvalidRequest: redirect_uri is not a valid URI". I did some digging and found that this is because the request for a token must include the redirect_uri in it, and this is verified by a comment included at node_modules\express-oauth-server\node_modules\oauth2-server\lib\grant-types\authorization-code-grant-type.js on line 126 which reads:

"The authorization server MUST ensure that the redirect_uri parameter is present if the redirect_uri parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical."

To fix this, I made sure that our client sent this by including
const redirecturi = 'http://localhost:3030/client/app'
and editing line 39 to be
body: code=${code}&client_secret=${secret}&client_id=${id}&grant_type=authorization_code&redirect_uri=${redirecturi}

Just open model.js on line 111 change function to:

` generateAuthorizationCode: (client, user, scope,cb) => {

log({
  title: 'Generate Authorization Code',
  parameters: [
    { name: 'client', value: client },
    { name: 'user', value: user },
  ],
})

const seed = crypto.randomBytes(256)
const code = crypto
  .createHash('sha1')
  .update(seed)
  .digest('hex')
cb(null,code)

},`

Firstly, I just want to say thank you for your hard and sharing this with us. It's helped me understand the flow of using authorization codes in node-oauth2-server a lot better than the official documentation.

I was wondering whether you would be open to the idea of adding an example of how to implement an authorization landing page, where the user is prompted to make a decision on whether or not to grant the client's request.

Much appreciated.

not able to call oauth/token on redirect uri.

The oauthServer.authenticate() doens't care about the token at all...
Even if you pass an invalid token, the request will be authorized.

Any thoughts?

Edit:

found it, the getAccessToken missed a db check

When inspecting network the request is pending and does not finish

I created the models as you created but when I am assigning the model to the OAuth model its showing error. (i am developing in typescript). when I run your code I am not getting any response after submitting the client credentials and user details.
here are my code sample

export const oauthConfiguration = new oauthServer({
model: oauthModel,(here i am getting error when i am assiging)
accessTokenLifetime: 60 * 60 * 24, // 24 hours, or 1 day
allowEmptyState: true,
allowExtendedTokenAttributes: true
});

#13

When I run the example and get to
http://localhost:3030/oauth/?grant_type=authorization_code&response_type=code&client_id=myClientId&redirect_uri=http://localhost:3030/client/app&state=myState
and submit with defailt username and password, the page hangs forever. There are no errors in the console. Possibly some .next() missing?

Steps to repro:

• Clone the repo
• run npm install
• run npm test

When I request an access token with 'password' grant and requireClientAuthentication to false.
If 'grant_type' parameter is missing or invalid, I got the folowing error message:

{
    "error": "invalid_client",
    "error_description": "Invalid client: cannot retrieve client credentials"
}

But we should receive the following error messages:

//For missing grant type
{
    "error": "invalid_request",
    "error_description": "Missing parameter: `grant_type`"
}

//For invalid grant type
{
    "error": "unsupported_grant_type",
    "error_description": "Unsupported grant type: `grant_type` is invalid"
}

The cause:
Module call 'getClientCredentials' before grant type verification.
And during this test

if (!this.isClientAuthenticationRequired(grantType))

isClientAuthenticationRequired function return true, which implies a client verification, via client id and client secret.
And as in this case, only the 'client_id' is provided, this causes the error to return 'invalid_client'

best regards.

In the case of an Authorization Code Flow, how do I:

Client may provide user data for authentication purposes

i.e. in authenticateHandler if the user is not logged in, how would I redirect the user to an account selector / login?

UPDATE
e.g. Auth0 has a concept of "silent authentication" (prompt=none) but the default is to redirect to a login page if need be.