oauth2orize with an API?

Question

I'm trying to integrate an oauth2 server with an API and got terribly stuck. In the example, there are 3 different Strategies used (local, basic, bearer); Is there an explanation for that? How do I create client keys and secrets? Is there a working example for a simple login for users?

Answer 1

Yes, you are in for a headache :). It's not an easy to implement strategy but here is the full working example with token server and so on:

https://github.com/jaredhanson/oauth2orize

It took me several weeks to wrap my head around it and what helped a lot is to understand the Oauth2 specs themselves. There are many moving parts, in short as follows:

1. User contacts the Service provider (i.e. my webmail).
2. Webmail offers Facebook auth, user clicks and user gets redirected to FB auth endpoint on fb.com
3. FB says, hey, Webmail wants to access your mail, allow? User says yes then
4. FB redirects the user with an "access token" grated to Webmail, back to webmail callback URL
5. Webmail, gets that Access token and uses it to make Webmail to FB api calls on behalf of the user.

As you can see the complications appear that there is a need to a Token Server which you need to provide to ensure that Webmail is registered with the token server as "known provider" so then user grants Webmail a permission to access FB on their behalf.

On your Webmail side you will not use any of the local/basic/bearer strategies. You will use passport-oauth2 strategy. Bearer is a valid API strategy similar to presenting an API key. If you don't need user permission to grant access to an API, I highly recommend you use passport-http-bearer strategy and you have no headaches.

I hope it helps.

Answer 2

For future reference, I patched everything together in a small, understandable example. oauth2api