当前位置: 首页 > 软件库 > Web应用开发 > >

oauth2orize

授权协议 MIT License
开发语言 JavaScript
所属分类 Web应用开发
软件类型 开源软件
地区 不详
投 递 者 后易安
操作系统 跨平台
开源组织
适用人群 未知
 软件概览

OAuth2orize

OAuth2orize is an authorization server toolkit for Node.js. It provides a suiteof middleware that, combined with Passportauthentication strategies and application-specific route handlers, can be usedto assemble a server that implements the OAuth 2.0protocol.


Advertisement
Node.js API Masterclass With Express & MongoDB
Create a real world backend for a bootcamp directory app


Status:

Install

$ npm install oauth2orize

Usage

OAuth 2.0 defines an authorization framework, allowing an extensible set ofauthorization grants to be exchanged for access tokens. Implementations arefree to choose what grant types to support, by using bundled middleware tosupport common types or plugins to support extension types.

Create an OAuth Server

Call createServer() to create a new OAuth 2.0 server. This instance exposesmiddleware that will be mounted in routes, as well as configuration options.

var server = oauth2orize.createServer();

Register Grants

A client must obtain permission from a user before it is issued an access token.This permission is known as a grant, the most common type of which is anauthorization code.

server.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, done) {
  var code = utils.uid(16);

  var ac = new AuthorizationCode(code, client.id, redirectURI, user.id, ares.scope);
  ac.save(function(err) {
    if (err) { return done(err); }
    return done(null, code);
  });
}));

OAuth2orize also bundles support for implicit token grants.

Register Exchanges

After a client has obtained an authorization grant from the user, that grant canbe exchanged for an access token.

server.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) {
  AuthorizationCode.findOne(code, function(err, code) {
    if (err) { return done(err); }
    if (client.id !== code.clientId) { return done(null, false); }
    if (redirectURI !== code.redirectUri) { return done(null, false); }

    var token = utils.uid(256);
    var at = new AccessToken(token, code.userId, code.clientId, code.scope);
    at.save(function(err) {
      if (err) { return done(err); }
      return done(null, token);
    });
  });
}));

OAuth2orize also bundles support for password and client credential grants.Additionally, bundled refresh token support allows expired access tokens to berenewed.

Implement Authorization Endpoint

When a client requests authorization, it will redirect the user to anauthorization endpoint. The server must authenticate the user and obtaintheir permission.

app.get('/dialog/authorize',
  login.ensureLoggedIn(),
  server.authorize(function(clientID, redirectURI, done) {
    Clients.findOne(clientID, function(err, client) {
      if (err) { return done(err); }
      if (!client) { return done(null, false); }
      if (client.redirectUri != redirectURI) { return done(null, false); }
      return done(null, client, client.redirectURI);
    });
  }),
  function(req, res) {
    res.render('dialog', { transactionID: req.oauth2.transactionID,
                           user: req.user, client: req.oauth2.client });
  });

In this example, connect-ensure-loginmiddleware is being used to make sure a user is authenticated beforeauthorization proceeds. At that point, the application renders a dialogasking the user to grant access. The resulting form submission is processedusing decision middleware.

app.post('/dialog/authorize/decision',
   login.ensureLoggedIn(),
   server.decision());

Based on the grant type requested by the client, the appropriate grantmodule registered above will be invoked to issue an authorization code.

Session Serialization

Obtaining the user's authorization involves multiple request/response pairs.During this time, an OAuth 2.0 transaction will be serialized to the session.Client serialization functions are registered to customize this process, whichwill typically be as simple as serializing the client ID, and finding the clientby ID when deserializing.

server.serializeClient(function(client, done) {
  return done(null, client.id);
});

server.deserializeClient(function(id, done) {
  Clients.findOne(id, function(err, client) {
    if (err) { return done(err); }
    return done(null, client);
  });
});

Implement Token Endpoint

Once a user has approved access, the authorization grant can be exchanged by theclient for an access token.

app.post('/token',
  passport.authenticate(['basic', 'oauth2-client-password'], { session: false }),
  server.token(),
  server.errorHandler());

Passport strategies are used to authenticate theclient, in this case using either an HTTP Basic authentication header (asprovided by passport-http) orclient credentials in the request body (as provided bypassport-oauth2-client-password).

Based on the grant type issued to the client, the appropriate exchange moduleregistered above will be invoked to issue an access token. If an error occurs,errorHandler middleware will format an error response.

Implement API Endpoints

Once an access token has been issued, a client will use it to make API requestson behalf of the user.

app.get('/api/userinfo', 
  passport.authenticate('bearer', { session: false }),
  function(req, res) {
    res.json(req.user);
  });

In this example, bearer tokens are issued, which are then authenticated usingan HTTP Bearer authentication header (as provided by passport-http-bearer)

Examples

This example demonstrateshow to implement an OAuth service provider, complete with protected API access.

Related Modules

Debugging

oauth2orize uses the debug module. You can enable debugging messages on the console by doing export DEBUG=oauth2orize before running your application.

License

The MIT License

Copyright (c) 2012-2018 Jared Hanson <http://jaredhanson.net/>

  • OAuth2orize 是 NodeJS 的授权服务器工具包。它提供了一套中间件, 这些中间件与 passport 身份验证策略和特定于应用程序的路由处理程序相结合, 可用于组装实现 OAuth 2.0 协议的服务器。 server.exchange(oauth2orize.exchange.password({userProperty: 'clientPortal'}, (client, use

  • OAuth 2.0 OAuth 2.0 (由 RFC 6749 正式指定) 提供的授权框架,它允许用户授权访问第三方应用程序。授权时,该应用程序发出的令牌作为身份验证凭据来使用。这有两个主要的安全优势: 应用程序并不需要存储用户的用户名和密码。  令牌可以有一个受限制的范围(例如:只读访问)。  这些好处是确保Web应用程序的安全性,使的OAuth2.0的API认证的主要标准尤为重要。  当使用O

  • 本文会详细描述两种通用的保证API安全性的方法:OAuth2和JSON Web Token (JWT) 假设: 你已经或者正在实现API; 你正在考虑选择一个合适的方法保证API的安全性; JWT和OAuth2比较? 要比较JWT和OAuth2?首先要明白一点就是,这两个根本没有可比性,是两个完全不同的东西。 JWT是一种认证协议 JWT提供了一种用于发布接入令牌(Access Token),并对

  • OAuth OAuth是一个解决用户无需向第三方应用提供用户名密码,让第三方应用访问用户私密资源的授权方案。 举例: 用户a,在网站B存有私密信息(年龄、邮箱、头像),而a在访问第三方网站C时,为了让C可以知道a在B网站上的信息,可以通过OAuth授权,让C访问B拿到a的信息。 逻辑步骤 a是下图里的User,B是下图里的Consumer,C是Service Provider B网站支持OAuth

  • oauth2 服务端 express+passport+oauth2orize+session+mongodb+redis oauth2 客户端 express+client-oauth2   项目提供简单的oauth2服务端和客户端,以下是github项目地址   github 地址gitHub/yardstrong

相关阅读

相关文章

相关问答

相关文档