Due to the lack examples of oauth2 in node.js, I can't decide where to implement the oauth2 service. Also, I wanna know what is the meaning of provider in oauth2 and when to create a new one and when to use a pre-made one like google.
I tried to implement a provider in the server-side but I didn't know how to test it.
If there are any useful resources I would be happy to take them.
You should use Open Id Connect (Authorization Code Flow + PKCE) in your Angular app. You should validate OAuth 2.0 access tokens in your API. Both of these components should interact with a 3rd party Authorization Server. There is a learning curve and my tutorial + code sample may help you - feel free to post back if you get stuck: https://authguidance.com/2017/09/24/basicspa-overview/
oauth2 provider means wich service to use to auth, eg server-side will mean the user creates an account on your Server, google would mean users sign in with their google accoutns to your site.
Related
Which library can I use to implement OAuth2 authorization and refresh token in NodeJS for Google Smart Home Action? I tried using passport-oauth2 and passport-google-oauth20 but cant get my desired results
The account linking guide indicates the features your OAuth server needs to implement in order to successfully link users of your smart home Action with Google. Mainly, you need have a server that implements the authorization and token exchange endpoints for the user accounts you maintain.
The libraries you have mentioned seem to assist with implementing client-side authentication of requests based on various identity providers rather than an OAuth server. It seems the developer of Passport also maintains a companion package called OAuth2orize which may be able to help you.
NOTE: I cannot vouch for whether this library will seamlessly integrate with Google Assistant account linking. Simply pointing out the infrastructure required for an OAuth server vs. client.
I'm working on a project to connect Google Apps (Contacts, Gmail, etc.) to our own private software.
I'd like to use Hapi.js in order to achieve this, but since I have no expertise in the matter (OAuth, Google, etc) I found it to be quite challenging.
I wonder if it's posible to use Hapijs and Bell to handle the "ask permission" flow, and once authorized save the credentials to long-term uses.
Also, is it possible to use Bell to handle token refresh and consume api? (like requesting http://www.google.com/m8/feeds/contacts/default/full)
In the documentation for Bell, there's an example for twitter, basically you need to change the provider to Google: https://www.npmjs.com/package/bell
When you request access, you can add the parameter access_type with a value of offline. The server will response also with a refresh token that you can use in further requests to the API's without asking for the user credentials again.
You won't be able to store the actual user's credentials since it wouldn't be secure.
You can use the Google OAuth playground to learn more about the authentication process, here is the link https://developers.google.com/oauthplayground/
Here you can find more information and examples of using node.js and the Google API's
I am trying to learn and implement MEAN stack (node, express, mongo, angular) to create an SAAS application I have been working on.
Currently i'm working on the REST API that the frontend will consume. I am having trouble understanding / deciding on an authentication scheme.
I am looking into passport.js to use with the REST API but I feel like maybe i'm confused about its implementation. Everything I read about oauth 2.0 says its pretty much the defacto standard for authentication with modern REST api's however most of what i'm reading says you click a button and it asks for authorization, just like a facebook or twitter signon.
So i'm wondering, is it even necessary to have a token based authentication if I just want my users to provide an email and password and sign in.
Can someone explain this at least: If I use Oauth 2.0, do I have to have sign in buttons that initiate some kind of facebook connect looking flow, or can I have a user provide an email and password and use that as a means to obtain the tokens from the oauth server.
SO CONFUSED. haha. I just need to figure out a good, acceptable way besides plain old username / password authentication to secure the api so I can get on with the build. All suggestions and links to applicable tutorials are appreciated. Thanks.
I am developing an app using node.js which will also have an mobile client. I am looking to make the authentication using OAuth 2.0. Is there any good module which allows me to have OAuth 2.0 authentication server?
I looked at a subsidiary module of Passport "OAuth2orize". I found it quite good enough, but the real problem was understanding how it will work for my own app (the example and docs specify about third party authorisation).
Basically what I want is that the client logs in with client id, user's username, user's password and there by I hand him a token after verifying the above 3 things. But the problem with Oauth2orize is that there there are redirect URI and all which is confusing me a lot.
Please help me know as to how can i achieve this using Oauth2rize or any other really good module. Or If its easy enough I can also roll my own, but will that be a good idea regarding security ??
What you are looking for is the Resource Owner Password Credentials flow. As you've seen, the examples for oauth2 do not include functionality that supports this flow. In fact the examples only cover the Authorization Code flow.
It should end up being fairly easy to implement. All you need to do is accept a request that contains the information you are looking for (and authorize it) and create a token in your token database and return it. As long as you use the same token database that the rest of oauth2orize is using, it should work just fine. See: Passing Trusted Client Information with oAuth2orize for the "Resource Owner Password Flow" where that is exactly what is suggested.
Correction:
The all-grants example of oauth2orize supports the Implicit flow as well as Authorization Code flow.
I'm a bit confused about how to properly and securely authenticate users using my REST API and provide and option to authenticate using other OAuth 2.0 providers as well (e.g. Facebook, Google, etc.).
Scenario
Users interact with a web application which should consume my REST API. Users should be able to login and perform CRUD operations both using username/password and by using 3rd party services such as Facebook. I will be using SSL to encrypt the traffic to the website and the API.
Without taking the 3rd party login services in consideration and by studying the various questions already asked here on SO, I thought about handling user authentication as in the picture.
Technologies and current idea
The REST API is written using JS using NodeJS and Express. The WebApp provided through another NodeJS instance is mostly AngularJS with templates which consumes the REST API.
My current idea is to let the WebApp handle the login sequence and let Facebook save their token in my DB using the callback. But this solution smells too much of workaround!
Questions
Is the authentication sequence depicted in the image correct?
How is the above authentication sequence compared to the Resource Owner Password Credential flow in OAuth2.0? Is it worth using OAuth2.0 instead of it?
How can I integrate login through 3rd parties (i.e. Facebook)? Any suggestion or (better) example?
References
passport.js RESTful auth
Login with facebook and using oauth 2.0 for authentication of REST api calls
And many others here on SO :)
My 2 cents..
The process looks good to me.. I would re-issue the token on each sign in and also keep it inside a database so tokens can be revoked easily.
Use PassportJS. Its got support for OAuth flows and supports many 3rd party integrations like FB, Twitter, Github etc..and since its a nodejs middleware.. its integration will be very tight within your application..