14gasher / oauth-example Goto Github PK
View Code? Open in Web Editor NEWExample of Oauth2.0 Server
Example of Oauth2.0 Server
I'm trying to test the demo to understand the flow - the /oauth form submission passes values into the server but the server process never resolves and the redirect to /oauth/authorize eventually times out. This is the final output of the dev server:
All but 3 of the included tests are also failing due to timeouts or 400s.
Any help would be appreciated!
To better understand how all of this stuff connects together, include sqlite to demonstrate how the db relates. This will allow us to demonstrate bad clients / users.
Authentication is not supported out of the box with OAuth library.
The flow needs to look like this:
Let's implement this as a middleware looking approximately like this:
const checkIfValid = (req,res,next) => {
if(validUser) return next()
return formWithBadInfoErrorInQueryParams
}
router.post('/fromAuthForm', checkIfValid, oauthJunk)
I solved the bugs in your code according to the new latest version. how to give push requests to your repo.
When creating this server, I had an issue with token creation when calling getAuthorizationCode where my console would say something along the lines of "InvalidRequest: redirect_uri is not a valid URI". I did some digging and found that this is because the request for a token must include the redirect_uri in it, and this is verified by a comment included at node_modules\express-oauth-server\node_modules\oauth2-server\lib\grant-types\authorization-code-grant-type.js on line 126 which reads:
"The authorization server MUST ensure that the redirect_uri parameter is present if the redirect_uri parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical."
To fix this, I made sure that our client sent this by including
const redirecturi = 'http://localhost:3030/client/app'
and editing line 39 to be
body: code=${code}&client_secret=${secret}&client_id=${id}&grant_type=authorization_code&redirect_uri=${redirecturi}
Just open model.js on line 111 change function to:
` generateAuthorizationCode: (client, user, scope,cb) => {
log({
title: 'Generate Authorization Code',
parameters: [
{ name: 'client', value: client },
{ name: 'user', value: user },
],
})
const seed = crypto.randomBytes(256)
const code = crypto
.createHash('sha1')
.update(seed)
.digest('hex')
cb(null,code)
},`
Firstly, I just want to say thank you for your hard and sharing this with us. It's helped me understand the flow of using authorization codes in node-oauth2-server a lot better than the official documentation.
I was wondering whether you would be open to the idea of adding an example of how to implement an authorization landing page, where the user is prompted to make a decision on whether or not to grant the client's request.
Much appreciated.
not able to call oauth/token on redirect uri.
The oauthServer.authenticate() doens't care about the token at all...
Even if you pass an invalid token, the request will be authorized.
Any thoughts?
Edit:
found it, the getAccessToken missed a db check
When inspecting network the request is pending and does not finish
I created the models as you created but when I am assigning the model to the OAuth model its showing error. (i am developing in typescript). when I run your code I am not getting any response after submitting the client credentials and user details.
here are my code sample
export const oauthConfiguration = new oauthServer({
model: oauthModel,(here i am getting error when i am assiging)
accessTokenLifetime: 60 * 60 * 24, // 24 hours, or 1 day
allowEmptyState: true,
allowExtendedTokenAttributes: true
});
When I run the example and get to
http://localhost:3030/oauth/?grant_type=authorization_code&response_type=code&client_id=myClientId&redirect_uri=http://localhost:3030/client/app&state=myState
and submit with defailt username and password, the page hangs forever. There are no errors in the console. Possibly some .next()
missing?
Steps to repro:
npm install
npm test
When I request an access token with 'password' grant and requireClientAuthentication to false.
If 'grant_type' parameter is missing or invalid, I got the folowing error message:
{
"error": "invalid_client",
"error_description": "Invalid client: cannot retrieve client credentials"
}
But we should receive the following error messages:
//For missing grant type
{
"error": "invalid_request",
"error_description": "Missing parameter: `grant_type`"
}
//For invalid grant type
{
"error": "unsupported_grant_type",
"error_description": "Unsupported grant type: `grant_type` is invalid"
}
The cause:
Module call 'getClientCredentials' before grant type verification.
And during this test
if (!this.isClientAuthenticationRequired(grantType))
isClientAuthenticationRequired function return true, which implies a client verification, via client id and client secret.
And as in this case, only the 'client_id' is provided, this causes the error to return 'invalid_client'
best regards.
In the case of an Authorization Code Flow, how do I:
Client may provide user data for authentication purposes
i.e. in authenticateHandler
if the user is not logged in, how would I redirect the user to an account selector / login?
UPDATE
e.g. Auth0 has a concept of "silent authentication" (prompt=none
) but the default is to redirect to a login page if need be.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.