Hi Friends,
Hope you are all well. This is a response to many of our friends asking me to do a post on Oauth2 authorization method in our nodeJS backend. I am sorry since this took a really long time, but here we go.
First of all this post is heavily inspired by the blog post from Scott K Smith. His is the most read post on Oauth 2 and NodeJs which he wrote a couple of years back.
A screencast of this post:
The complete code for this repo can be found here.
We will be making use of the JWT based authentication system which we have already written.
Please grab a copy of that repo from here.
Now open it up in your favourite code editor and let’s do some reorganising.
Create a new file in the methods directory as auth.js and copy all the code from config/passport.js into it. Then delete the passport.js file.
Open up your server.js file and remove the below line.
|
1 |
require('./config/passport')(passport); |
Okay. Now for a moment forget about all the code and look at the flow of OAuth 2.0
Let’s consider Twitter, Google or any other company using OAuth; the following steps will be common.
Step 1:
You will register your app with their platform (something like developer.twitter.com) and they will provide you with an APP_ID and a secret.
Step 2:
Then you will make a call to their platform from your App (Usually to an URL like /companyname/authorize) along with your App_Id and secret. You will get a bearer token in return.
Step 3:
You will then use this bearer token to make a call to a different URL which would then return an access token. If you receive the access token then you are authorized.
Step 4:
Then you could use this access token to make authorized requests to the API’s without using your username or password anywhere.
So, we’ll need to design our server in such a way that it includes all the above 4 steps.
Okay first of all let’s open up our model directory and create a file called book.js. Open this and add the below code.
|
1 2 3 4 5 6 7 8 9 |
var mongoose = require('mongoose'); var BookSchema = new mongoose.Schema({ name: String, quantity: Number, userId: String }); module.exports = mongoose.model('Book', BookSchema); |
Also open up methods/actions.js and add the below two functions.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
addBook: function(req, res) { var newBook = Book({ name: req.body.name, quantity: req.body.quantity, userId: req.user._id }); newBook.save(function(err, newBook) { if(err) console.log(err); else res.json({ message: 'Book added to the locker!', data: newBook }); }) }, getBooks: function(req, res) { Book.find({ userId: req.user._id }, function(err, books) { if (err) res.send(err); res.json(books); }); } |
Dont forget to add the require() for Book model
|
1 |
var Book = require('../model/book'); |
We have just created provisions using which a user can add a book or view the list of added books.
The code might look a lot similar if you had read Scottksmith’s blog. I used most of his code with a lot of changes too.
Now let’s get into the steps.
First let’s create a model for the client
Create a new file called client.js inside model and add the below code.
|
1 2 3 4 5 6 7 8 9 10 |
var mongoose = require('mongoose'); var ClientSchema = new mongoose.Schema({ name: { type: String, unique: true, required: true }, id: { type: String, required: true }, secret: { type: String, required: true }, userId: { type: String, required: true } }); module.exports = mongoose.model('Client', ClientSchema); |
Okay now that we have model let’s write functions for adding a client and getting the clients.
Open up methods and create a new file called client.js and add the below code.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
var Client = require('../model/client'); exports.postClients = function(req, res) { var client = new Client(); client.name = req.body.name; client.id = req.body.id; client.secret = req.body.secret; client.userId = req.body.userId; client.save(function(err) { if (err) res.send(err); res.json({ message: 'Client added to the locker!', data: client }); }); }; exports.getClients = function(req, res) { Client.find({ userId: req.body.userId }, function(err, clients) { if (err) res.send(err); res.json(clients); }); }; |
Okay. Now before the user tries to add a client, we must first check whether he is authenticated right ?
So let us assume here that the user sends a POST request to create a new client and includes his JWT in that request header. (JWT as in the one which was created when he logged in).
Then the jwt is checked up using the strategy we wrote in auth.js file and then if it’s successful, i.e., the user is present a client is added and a client_id and secret is sent in response.
Now open up auth.js and modify it slightly so that it looks like below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
var JwtStrategy = require('passport-jwt').Strategy; var ExtractJwt = require('passport-jwt').ExtractJwt; var User = require('../model/user'); var config = require('../config/database'); var opts = {}; opts.secretOrKey = config.secret; opts.jwtFromRequest = ExtractJwt.fromAuthHeader(); passport.use(new JwtStrategy(opts, function(jwt_payload, done){ User.find({id: jwt_payload.id}, function(err, user){ if (err) { return done(err, false); } if (user) { return done(null, user); } else { return done(null, false); } }) })); exports.isAuthenticated = passport.authenticate(['jwt'], {session: false}); |
Now we could simply call up auth.isAuthenticated anywhere to check whether the user is authenticated or not. (Provided he sends a request containing the jwt token).
Now open up routes.js inside the routes folder and add the below lines of code.
|
1 2 3 |
router.route('/clients') .post(auth.isAuthenticated, clients.postClients) .get(auth.isAuthenticated, clients.getClients); |
this is for adding the clients.
Okay. Now after the client is added. The app_id and the secret are passed on to the user with which he makes the next request right..?
So, we need to handle that now.
Install oathu2orize npm module using the below command.
|
1 |
npm install oauth2orize --save |
Install passport-http-jwt-bearer too using the below command.
|
1 |
npm install passport-http-jwt-bearer |
Let’s create models which we would be using for the code and the token.
Open up model folder and create a new file called token.js
|
1 2 3 4 5 6 7 8 9 |
var mongoose = require('mongoose'); var TokenSchema = new mongoose.Schema({ value: { type: String, required: true }, userId: { type: String, required: true }, clientId: { type: String, required: true } }); module.exports = mongoose.model('Token', TokenSchema); |
Create another file called code.js and add the below code to it.
|
1 2 3 4 5 6 7 8 9 10 |
var mongoose = require('mongoose'); var CodeSchema = new mongoose.Schema({ value: { type: String, required: true }, redirectUri: { type: String, required: true }, userId: { type: String, required: true }, clientId: { type: String, required: true } }); module.exports = mongoose.model('Code', CodeSchema); |
Now create a new file called oauth2.js in methods folder and add the below code into it.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
var oauth2orize = require('oauth2orize') var User = require('../model/user'); var Client = require('../model/client'); var Token = require('../model/token'); var Code = require('../model/code'); var auth = require('./auth.js'); var config = require('../config/database'); var jwt = require('jwt-simple'); var server = oauth2orize.createServer(); // Register serialialization function server.serializeClient(function(client, callback) { return callback(null, client._id); }); // Register deserialization function server.deserializeClient(function(id, callback) { Client.findOne({ _id: id }, function (err, client) { if (err) { return callback(err); } return callback(null, client); }); }); // Register authorization code grant type server.grant(oauth2orize.grant.code(function(client, redirectUri, user, ares, callback) { // Create a new authorization code var code = new Code({ value: uid(16), clientId: client._id, redirectUri: redirectUri, userId: client.userId }); // Save the auth code and check for errors code.save(function(err) { if (err) { return callback(err); } callback(null, code.value); }); })); server.exchange(oauth2orize.exchange.code(function(client, code, redirectUri, callback) { Code.findOne({ value: code }, function (err, authCode) { if (err) { return callback(err); } if (authCode === undefined) { return callback(null, false); } if (client._id.toString() !== authCode.clientId) { return callback(null, false); } if (redirectUri !== authCode.redirectUri) { return callback(null, false); } // Delete auth code now that it has been used authCode.remove(function (err) { if(err) { return callback(err); } // Create a new access token var token = new Token({ value: uid(256), clientId: authCode.clientId, userId: authCode.userId }); // Save the access token and check for errors token.save(function (err) { if (err) { return callback(err); } var enctoken = jwt.encode(token, config.secret); callback(null, enctoken); }); }); }); })); // User authorization endpoint exports.authorization = [ server.authorization(function(clientId, redirectUri, callback) { Client.findOne({ id: clientId }, function (err, client) { if (err) { return callback(err); } return callback(null, client, redirectUri); }); }), function(req, res){ console.log(config.userid); res.render('dialog', { transactionID: req.oauth2.transactionID, user: config.userid, client: req.oauth2.client }); } ] exports.decision = [ server.decision() ] // Application client token exchange endpoint exports.token = [ server.token(), server.errorHandler() ] function uid (len) { var buf = [] , chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' , charlen = chars.length; for (var i = 0; i < len; ++i) { buf.push(chars[getRandomInt(0, charlen - 1)]); } return buf.join(''); }; function getRandomInt(min, max) { return Math.floor(Math.random() * (max - min + 1)) + min; } |
Let’s look at this code in a minute. For now we’ll progress on and finish the code so that we could understand the flow better.
Install passport-http using the below command.
|
1 |
npm install passport-http --save |
Open up auth.js and add the below code so that it looks like below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
var JwtStrategy = require('passport-jwt').Strategy; var ExtractJwt = require('passport-jwt').ExtractJwt; var User = require('../model/user'); var Client = require('../model/client'); var config = require('../config/database'); var Token = require('../model/token'); var JwtBearerStrategy = require('passport-http-jwt-bearer'); var BasicStrategy = require('passport-http').BasicStrategy; var opts = {}; opts.secretOrKey = config.secret; opts.jwtFromRequest = ExtractJwt.fromAuthHeader(); passport.use(new JwtStrategy(opts, function(jwt_payload, done){ User.find({id: jwt_payload.id}, function(err, user){ if (err) { return done(err, false); } if (user) { return done(null, user); } else { return done(null, false); } }) })); passport.use('basic-strategy', new BasicStrategy( function(username, password, callback) { Client.findOne({ id: username }, function (err, client) { if (err) { return callback(err); } // No client found with that id or bad password if (!client || client.secret !== password) { return callback(null, false); } // Success return callback(null, client); }); } )); passport.use(new JwtBearerStrategy( config.secret, function(token, done) { Token.findById(token._id, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false); } return done(null, user, token); }); } )); exports.isBearerAuthenticated = passport.authenticate('jwt-bearer', {session: false}); exports.isAuthenticated = passport.authenticate('jwt', {session: false}); exports.isClientAuthenticated = passport.authenticate('basic-strategy', { session : false }); |
We have added two more strategies here. But as I said before let’s continue and finish the flow.
Open up routes.js and add new routes. Now routes.js should look like this.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
var express = require('express'); var actions = require('../methods/actions'); var auth = require('../methods/auth'); var clients = require('../methods/client'); var oauth2 = require('../methods/oauth2'); var router = express.Router(); router.post('/authenticate', actions.authenticate); router.post('/adduser', actions.addNew); router.get('/getinfo', actions.getinfo); router.post('/addbook', auth.isBearerAuthenticated, actions.addBook); router.get('/getbooks', auth.isBearerAuthenticated, actions.getBooks); router.route('/clients') .post(auth.isAuthenticated, clients.postClients) .get(auth.isAuthenticated, clients.getClients); router.route('/oauth2/authorize') .get(oauth2.authorization) .post(oauth2.decision); router.route('/oauth2/token') .post(auth.isClientAuthenticated, oauth2.token); module.exports = router; |
Now for oauth2orize module we need sessions., so we will install express-session using the below command.
|
1 |
npm install express-session |
Now open up Β server.js and add the below code so as to include sessions in our app.
|
1 2 3 4 5 6 7 8 |
app.use(session({ secret: 'Super Secret Session Key', saveUninitialized: true, resave: true })); app.set('view engine', 'ejs'); app.use(routes); app.use(passport.initialize()); |
Note that we have also set the view engine to ejs.
Okay. That’s it. Now, remember our steps. Let us say you have added a client and now you want to access the REST Apis. So you send a get request to /oauth/authorize along with the client_ID & redirect_uri (This will usually be added along while you register the client).
So that route invokes oauth2.authorization. Look up oauth2.authroization in your oauth2.js file. You could see that it simply references the Client in the client db using the client_id and then returns a client and tries to call the redirect URL.
Okay; usually apps would ask you permission before allowing the registered client to access Apis right?
For eg., this is what twitter would show when you make REST calls.
]
we need to create a similar interface for our apps too right ?
Once again we will be using code from Scottksmith’s blog.
We will be using ejs template engine for our view. Create a folder called views and create a new file inside it called dialog.ejs and then add the below code in it.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
<!DOCTYPE html> <html> <head> <title>Book Locker</title> </head> <body> <p><b><%= client.name %></b> is requesting <b>full access</b> to your account.</p> <p>Do you approve?</p> <form action="/oauth2/authorize" method="post"> <input name="transaction_id" type="hidden" value="<%= transactionID %>"> <div> <input type="submit" value="Allow" id="allow"> <input type="submit" value="Deny" name="cancel" id="deny"> </div> </form> </body> </html> |
If you notice we are merely ask the user for a confirmation and then a POST request to the ‘/oauth2/authorize’ Url is made.
Now the POST request invokes the oauth2.decision in oauth2.js file.
Now this will trigger the server.decision(). The server.decision() method triggers the server.grant code whose looks as shown below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
// Register authorization code grant type server.grant(oauth2orize.grant.code(function(client, redirectUri, user, ares, callback) { // Create a new authorization code var code = new Code({ value: uid(16), clientId: client._id, redirectUri: redirectUri, userId: client.userId }); // Save the auth code and check for errors code.save(function(err) { if (err) { return callback(err); } callback(null, code.value); }); })); |
If you notice we simply generate a code and then saves it. It also returns the value of the code to the calling app.
Okay. So far so good. Let’s remember the next steps of our app. This code could be exchanged for an access token right.
This is where the ‘/oauth2/token’ endpoint comes in. Send a post request to this endpoint along with your Client ID and secret in the header(base64 encoded) and also send the code which you received from the previous step.
Our basic strategy in passport will check if the client is found using the client_Id. Then the oauth.token function will call the server.exchange function whose code looks like below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
server.exchange(oauth2orize.exchange.code(function(client, code, redirectUri, callback) { Code.findOne({ value: code }, function (err, authCode) { if (err) { return callback(err); } if (authCode === undefined) { return callback(null, false); } if (client._id.toString() !== authCode.clientId) { return callback(null, false); } if (redirectUri !== authCode.redirectUri) { return callback(null, false); } // Delete auth code now that it has been used authCode.remove(function (err) { if(err) { return callback(err); } // Create a new access token var token = new Token({ value: uid(256), clientId: authCode.clientId, userId: authCode.userId }); // Save the access token and check for errors token.save(function (err) { if (err) { return callback(err); } var enctoken = jwt.encode(token, config.secret); callback(null, enctoken); }); }); }); })); |
If you notice you will see that it checks up the code which we saved previously and then generates a new token. This token is saved and then returned.
Note that the token is encoded first into a json web token using our secret.
This is essential since we will be making use of this token to do all our authorized requests. If you look at the JwtBearerStrategy in auth.js
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
passport.use(new JwtBearerStrategy( config.secret, function(token, done) { // console.log(token); Token.findById(token._id, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false); } // console.log(user); return done(null, user, token); }); } )); |
You can see from the above code that we are first decoding the token using our secret again and then searching for this token using the id and then if it’s present then the token is considered to be valid and the user is authorized to use the resource.
Important things to notice:
- We will never be using our username password anywhere after logging in.
- Multiple request,responses take place and thats where the serialization and deserialization in oauth2.js file are used.
If you feel confused kindly watch my video screen-cast. I believe I have explained it a bit more clearly there. Or read this article once again. You could ask me anytime if you are stuck (use the comments section).
Alternatively you could grab a copy of this repo and try it out using Postman.
In the next part we will be building an Angular 2 app to consume these REST Apis. Since we will actually be using the code we wrote here, your doubts would get cleared and you would get a better understanding of the flow.
If you found this helpful kindly share it with someone else and help them too.
Thanks for reading guys. Peace.. 
