Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

passport-facebook-token vs passport-facebook

For social authentication in node.js, I have seen a number of projects using the passport-facebook-token package instead of the default passport-facebook. I am trying (and struggling) to understand the differences and benefits between these two packages - and how to choose one from the other. Any insights appreciated.

like image 842
arhnee Avatar asked Jul 30 '18 11:07

arhnee


People also ask

How do I use Facebook token for passport?

So to authenticate an API route using passport-facebook-token, you'll need to set up a passport strategy like so: passport. use('facebook-token', new FacebookTokenStrategy({ clientID : "123-your-app-id", clientSecret : "ssshhhhhhhhh" }, function(accessToken, refreshToken, profile, done) { // console.

What is Facebook passport?

This module lets you authenticate using Facebook in your Node. js applications. By plugging into Passport, Facebook authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.

What is the use of passport in authentication?

Passport is a popular, modular authentication middleware for Node. js applications. With it, authentication can be easily integrated into any Node- and Express-based app. The Passport library provides more than 500 authentication mechanisms, including OAuth, JWT, and simple username and password based authentication.


Video Answer


1 Answers

THE ANSWER

After a good bit of reading I believe I have understand (at least the basics), and am sharing here for the benefit of others:

  • passport-facebook uses an OAuth2 — Authorization Code Grant flow
  • passport-facebook-token uses an OAuth2 — Implicit Grant flow

See this great article on oauth flows for details of each of these. Some diagrams of the flows customized for these specific libraries can be found in this SO post.

GENERAL CONFUSION

Something that has become obvious in doing this research, is that there is a lot of confusion around authentication best practices. It is not clear to many (maybe most) exactly when each of the different PassportJS strategies (or flows) should be used.

SOME CONCLUSIONS:

  • Authorization Code Grant is more secure than Implicit Flow, as it does not share the third party access token directly with the user-agent (often a web-browser). Despite many articles to the contrary, this will work fine with SPAs as long as the SPA has "dedicated server-side component", such as a BFF-API (like the nestjs-bff I am trying to build... which is what started this whole line of investigation in the first place)

  • Implicit Grant represents an increased security vulnerabilities due to exposing the access token directly to the user-agent (often a web-browser). Use cases include SPA apps where there is no server-side component. Recently, industry best practices have been trending away from Implicit Grant and towards Authorization Code Grant, without the client secret, but with PCKE (Proof Key Code Exchange)... but that is typically recommended for native mobile apps, rather then SPAs.

MY NET TAKE-AWAY:

Use Authorization Code Grant (passport-facebook) over Implicit Grant (passport-facebook-token) if you have any dedicated server-side component to your client.

INVITATION TO CHIME IN!

I hope that helps others who found themselves with the same questions as I had. If anyone sees any errors, omissions, or incorrect assumptions about what I have written, please chime in.

like image 136
arhnee Avatar answered Oct 22 '22 05:10

arhnee