Using Resource Owner Password in Oauth2orize module

Question

I am developing an app with an mobile client for which I want to deploy Oauth2orize as Oauth server an use authenticate with Resource Owner Password way. But I am not able to understand how the flow should be. I searched for lots of examples but could not find one where this use.

What should the flow be to give a token to the client?

Answer 1

This came a little late but I think this post can help someone else. I just spent a week trying to implement this because oauth2orize mix all the oauth flows in one file in the samples so is difficult to figure out which one to use to obtain the desired result.

To start answering your question you ask about a resource owner password grant as described here. This should give you a head start on the steps defined by oauth2 to exchange a username(or email) and password for a token and optionally a refresh token.

Step 1: The client requests a token using username and password to the authorization server

Step 2: The authorization server issues a token to the client if the client has valid credentials

So you start sending a request to an authentication resource in application/x-www-form-urlencoded format containing a username, password and grant_type params, optionally you can also use scopes. Oauth2orize provides the server.token() function which generates a middleware to parse this request.

app.post('/token', server.token(), server.errorHandler());

But before this stage you should have the server created and configured. I usually use a different file and use module.exports to pass the middleware back to the app.

authorization.js file

// Create the server
var server = oauth2orize.createServer();

// Setup the server to exchange a password for a token
server.exchange(oauth2orize.exchange.password(function (client, username, password, scope, done) {
    // Find the user in the database with the requested username or email
    db.users.find({ username: username }).then(function (user) {
        // If there is a match and the passwords are equal 
        if (user && cryptolib.compare(password, user.password)) {
            // Generate a token
            var token = util.generatetoken();
            // Save it to whatever persistency you are using
            tokens.save(token, user.id);
            // Return the token
            return done(null,   /* No error*/ 
                        token,  /* The generated token*/
                        null,   /* The generated refresh token, none in this case */
                        null    /* Additional properties to be merged with the token and send in the response */             
            );
        } else {
            // Call `done` callback with false to signal that authentication failed
            return done(null, false);
        }
    }).catch(function (err) {
       // Signal that there was an error processing the request
       return done(err, null);
    })
};

// Middlewares to export
module.exports.token = [
    server.token(),
    server.errorHandler()
];

Later in your app you write something like this

var auth = require('./authorization');
app.post('/token', auth.token);

This is a basic example of how you do it. Moreover you should enable some sort of protection on this endpoint. You could use client credential validation with the passport-oauth2-client-password module. This way the client variable in the oauth2orize.exchange.password function will contain information about the client that is trying to access the resource enabling an extra security check for your authorization server.