OAuth2 Password grant with node js

Question

I am designing a web application that is mainly divided into following two parts

1. Web site (UI) : Node JS Express application will be hosted as www.mysite.com
2. Rest API: Business logic(Atuhentiation, Authorization, business logic) and will be hosted as some different domain for example api.mysite.com

I want to implement the OAuth2 for this application. I read through OAuth2 and understood it's various flows and based on my understanding, I concluded that "Resource Owner Password Credentials" flow is a way to go as Client and Service both belongs to me and user will also directly register with my application and thus they will provide username and password.

I researched a lot around "Resource Owner Password Credentials" flow but this flow is very less talked and documented. I have very little idea close to ZERO that how I should implement this flow in my application. I am developing Website and Rest API in Node JS. Please guide me around how should I implement this ? Any demos, documentations will be helpful.

Thanks in advance !

Answer 1

You are right. Its very little documented, plus it is often misleadingly explained wrong. Most explanations of that flow do not point out, that there are two different situations for that flow.

If you have a SPA or similar open apps, you do NOT want to have the client id nor the client secret with the ROPC flow. Because, everyone could read it. Also, it is not required in the RFC.

Your situation is about 2-legged oauth without delegation.

Here is a very good article about how to secure the ROPC flow: http://andyfiedler.com/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps

Hope that helps, I currently struggle with the same issue.