mohd7469 / oauth2orize-examples Goto Github PK

View Code? Open in Web Editor NEW

230.0 6.0 96.0 99 KB

Some oauth examples and implementation.

License: MIT License

JavaScript 95.67% HTML 4.33%

oauth2orize-examples's Introduction

oauth2orize: oauth2 provider example

This example shows a provider which grants tokens in exchange for codes for

The client application
A user of the client application

Install

git clone https://github.com/gerges-beshay/oauth2orize-examples.git
pushd oauth2orize-examples
npm install

Usage

Locally

node app.js

Visit http://localhost:3000/login to see the server running locally.

Serverless

Vercel

Download either Vercel Desktop (preferred) or Vercel CLI.
Create a .vercelignore file in the root of the package (where package.json is located) with the following contents:

node_modules
.eslintrc
LICENSE.md
README.md

Create a vercel.json file in the root of the package with the following contents:

{
  "version": 2,
  "builds": [
    {
      "src": "app.js",
      "use": "@now/node-server"
    }
  ],
  "routes": [
    {
      "src": "/(.*)",
      "dest": "app.js"
    }
  ]
}

Execute vercel in the terminal/console. (If the command is not recognized, you might have to restart your computer.)
Once you see the “Success! Deployment ready” message in the terminal, follow the URL of the deployment provided by the Vercel CLI.

Provider / Consumer Walkthrough

Interacting with this provider directly doesn't showcase it's oauth2 functionality.

Visiting / takes you to a blank page... not too interesting
/login will ask you for credentials.

If you login before an oauth request you are taken directly to permission dialog when that request happens
Otherwise you will be redirected here and then to the permission dialog

/account will allow you to see your user details

In order to demo what this is actually accomplishing you'll need to run a consumer.

See https://github.com/coolaj86/example-oauth2orize-consumer

API

Below is a mapping of the API in the context of a passport-strategy

/dialog/authorize is the authorizationURL.
/oauth/token is the tokenURL
/api/userinfo is a protected resource that requires user permission
/api/clientinfo is a protected resource that requires a token generated from the client's id and secret
Usage of scope is not demonstrated in this example.

The standalone usable resources are

GET / nothing
GET /login lets you login, presented by /dialog/authorize if you haven't logged in
POST /login processes the login
GET /logout lets you logout
GET /account lets your view your user info

And then some internal resources that are of no concern for standalone users or consumers

POST /dialog/authorize/decision, processes the allow / deny

oauth2orize-examples's People

Contributors

Stargazers

Watchers

Forkers

ulbora hardillb 6waner obengwilliam metoin nivek-c94 jpsantosbh spock74 rhod-bateman sbeatz danielkhan championswimmer ranjancse26 bcosma avadhpatel qihong1983 matiass47 andhikamaheva ajuhos ifiok hexopensource lonjoy alexeykhristov virtualadrian harryi3t nagyistoce stonevina felixfrtz nilegfx schutt kangisworking remade kimgenius bradleyfaught rbecheras johnnynode alaptiko lukaslohoff robinbuschmann mantisware tromili jmchza adamhathcock warnero taufiktriantono parse-alex cnahliu formertechie robophil ldevin devburak nmyers322 patrickcollings linhbkhn95 thuraucsy 496268931 calvinturbo fcolangeli chase2981 jordancabral youjoinit joaodavidbrito kumarmanishbit yanick marvinschopf vramaswamy456 luminousxlb adanbae-dev ziponia 2coo lun7 codesanook alienbigking p-vincen-t saphilous andreffelipe sharethis-github chsrinivasanand oliverliutao luanmtx miguelbarro alexpensato albertojalj wflemming jriverox usekeyp pointoboom samepili eshlon imycod africhild signorwaltz dbellogithub ignidis

oauth2orize-examples's Issues

Math.random() is not secure

Consider replacing getUid() with secure-random-string for cryptographically secure random numbers.

It has the option to continue to make them 16 characters log as before if you prefer.

Unable to exchage authorization code for token

Hi,
whenever I make a post request to get token i got 'Unauthorized' as response. please Help!
below is my request:-

url:- http://localhost:3000/oauth/token

request:- {
"grant_type": "authorization_code",
"code": "gZl67viNzaVvJgfx",
"redirect_uri": "http://localhost:3000/account",
"client_id": "abc123",
"state": "12345"
}

bearer strategy with client Id calling wrong function

I accidentally miss saving my user.id, so the clientID is used for BearerStrategy and found this bug.
I think in auth.js line 100
db.clients.findByClientId
should be change with
db.clients.find

Unable to EXchange Access token for auth code

Hi,
I was able to get the auth code but when i call the token api, i get Unauthorised 401 Error,
I am passing these values in the url
http://localhost:3000/oauth/token?grant_type=authorization_code&code=tncHiOrBZRcvjJQ1&redirect_uri=http://localhost:3000/account&client_id=abc123&client_secret=ssh-secret
Please help with his, I am stuck.

Swagger integration

It'd be great if we could have an example working with SwaggerExpress

A path other than root

I am using your example, but want to host it on a path other than /. Is there a property I can set (or other approach) to achieve this simply?

AuthorizationError: Missing required parameter: response_type

I have an error when accessing /dialog/authorize after logged in.

the error message shown below

AuthorizationError: Missing required parameter: response_type at /var/www/html/oauth2orize-examples/node_modules/oauth2orize/lib/middleware/authorization.js:120:46 at pass (/var/www/html/oauth2orize-examples/node_modules/oauth2orize/lib/server.js:295:26) at pass (/var/www/html/oauth2orize-examples/node_modules/oauth2orize/lib/server.js:313:9) at pass (/var/www/html/oauth2orize-examples/node_modules/oauth2orize/lib/server.js:313:9) at Server._parse (/var/www/html/oauth2orize-examples/node_modules/oauth2orize/lib/server.js:318:5) at authorization (/var/www/html/oauth2orize-examples/node_modules/oauth2orize/lib/middleware/authorization.js:118:12) at Layer.handle [as handle_request] (/var/www/html/oauth2orize-examples/node_modules/express/lib/router/layer.js:95:5) at next (/var/www/html/oauth2orize-examples/node_modules/express/lib/router/route.js:137:13) at /var/www/html/oauth2orize-examples/node_modules/connect-ensure-login/lib/ensureLoggedIn.js:50:5 at Layer.handle [as handle_request] (/var/www/html/oauth2orize-examples/node_modules/express/lib/router/layer.js:95:5)

Duplication of 'db.clients.findByClientId()' in example

Hi.

My question is:

Why do we need to check client twice? Isn't it enough to fetch client in passport strategy and then simply use client object which was passed down to oauth2orize clientCredentials exchange handler? Or this duplication is just for demo purposes?

Thank you!

Basic /oauth/token does not work

curl -X POST "http://localhost:3000/oauth/token" -d "grant_type=password&client_id=abc123&client_secret=ssh-secret&username=bob&password=secret"

Error: {"error":"server_error","error_description":"authCode is not defined"}

Update to latest version of Express

Current version of express is 2.x, would be nice to update to latest (4.x)

Authorization Code Replay Vulnerability

The code in the Grant Flow doesn't invalidate the Authorization Code after it's used to successfully issue an access token, so you can reuse the authorization code to issue another access token. It's recommended to have authorization codes expire after some short window and to mark them as used once you've issued a token. The OAuth site goes into more detail about Authorization Codes here.

I'd be happy to make a pull request to expire tokens and remove them after they've been used (or at least invalidate them. Or at a minimum I can make a PR to add some comments to note how it should be done if implemented in a live application.

user.has_token and client.isTrusted

In the oauth2.js, I can see user.has_token and client.isTrusted, but I cannot find those method in the user and client models. Where is these method specified?