OAuth2 server creation with nodejs

Question

I m actually studying REST Apis security, and it seems that many people are using OAuth2 and OpenId protocoles to manage authentication.

I have tried to implement two OAuth2 server using :

• http://passportjs.org/ for the client side and https://github.com/jaredhanson/oauth2orize for the server side

• https://www.npmjs.org/package/node-oauth2-server

For the first solution, running the examples is working correctly but I need to make something stateless (and in the example the author uses sessions...)

Can you help me to create the simplest oauth2 server possible or defaultly explaining me the whole functionnement of these libraries ?

Thanks for advance

Answer 1

I implemented using "oauth2-server": "^3.0.0-b2"

var express = require('express');
var oauthServer = require('oauth2-server');
var Request = oauthServer.Request;
var Response = oauthServer.Response;
var authenticate = require('./components/oauth/authenticate')

var app = express();

app.use(bodyParser.urlencoded({ extended: true }));

app.use(bodyParser.json());

// https://github.com/manjeshpv/node-oauth2-server-implementation/blob/master/components/oauth/models.js
var oauth = new oauthServer({
  model: require('./models.js')
});

app.all('/oauth/token', function(req,res,next){
    var request = new Request(req);
    var response = new Response(res);

    oauth
      .token(request,response)
      .then(function(token) {
        // Todo: remove unnecessary values in response
        return res.json(token)
      }).catch(function(err){
        return res.status( 500).json(err)
      })
  });

  app.post('/authorise', function(req, res){
    var request = new Request(req);
    var response = new Response(res);

    return oauth.authorize(request, response).then(function(success) {
        res.json(success)
    }).catch(function(err){
      res.status(err.code || 500).json(err)
    })
  });

app.get('/secure', authenticate(), function(req,res){
  res.json({message: 'Secure data'})
});

app.get('/me', authenticate(), function(req,res){
  res.json({
    me: req.user,
    messsage: 'Authorization success, Without Scopes, Try accessing /profile with `profile` scope',
    description: 'Try postman https://www.getpostman.com/collections/37afd82600127fbeef28',
    more: 'pass `profile` scope while Authorize'
  })
});

app.get('/profile', authenticate({scope:'profile'}), function(req,res){
  res.json({
    profile: req.user
  })
});

app.listen(3000);

To simulate, Use Postman: https://www.getpostman.com/collections/37afd82600127fbeef28

MySQL/PostgreSQL/MSSQL Compatiable: https://github.com/manjeshpv/node-oauth2-server-implementation/blob/master/components/oauth/models.js

MySQL DDL: https://github.com/manjeshpv/node-oauth2-server-implementation/blob/master/sql/oauth_demo.sql

Mongo Dumps: https://github.com/manjeshpv/node-oauth2-server-implementation/tree/master/mongo-dump

Note that they have an issue there with the validateScope function needs to be replaced with:

function validateScope(user, client) {
  return user.scope === client.scope
}