I am new to Node.js, OAuth.
I am developing a web app using Nodejs. My application is interacting with the third party API to get data. Per documentation of API "All methods in this third party API take OAUTH authentication parameters in request header"(that's it no more details)
I decided to use Passport module of Node.JS to achieve this(http://passportjs.org/guide/oauth/).
My Problem is I am unable to understand how to proceed with this. Let say we have an API method "http://api.travel/getAllLocation" which returns all locations where user can travel.
Can someone pls help here by providing example how to use NodeJS, Passport to get required data from webservice .
[Update]
Have found this answer which is trying to achieve the same thing. But how to achieve the same using Passport
How to send the OAuth request in Node
It sounds to me as if you're trying to use Oauth to access someone else's API correct? If that's the case, you need to interact with the API by doing this:
Requesting an Oauth token given an API key.
Putting that token into your HTTP Authorization header so that the third-party API can identify and authenticate you.
The way you can request an API token (typically) via the command line using cURL is as follows:
$ curl -v --user api_key_id:api_key_secret -X POST https://api.something.com/v1/auth?grant_type=client_credentials
This will typically return some sort of token (hopefully a JSON web token!) that you can then use to identify yourself. Here's an example cURL request that properly specifies a token:
$ curl -v -H "Authorization: Bearer tokenhere" https://api.something.com/v1/blah
Using Node, you can craft these HTTP requests with the https://github.com/request/request library. Again, if you link us to the exact docs, I can help ya further =)
Related
I don't quite understand the workflow of Third-Party Authentication.
I am trying to create an SPA application with back-end on express and front-end on React.
The application should handle webhooks from GitHub API.
I've managed to authenticate the user on my back-end but how do i send the access_token to the front end? (So i can do ajax on front-end).
GitHub allows to send ajax requests with token bearer.
Example:
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/user
Do i send the JWT token instead to the front-end via query string? But then what do i do?
You can add an endpoint to your web back end such as GET /token. However, this would need to be protected via an authentication cookie that your web back end issues.
If you are building an SPA then an alternative option (which I prefer) is to be entirely cookieless. This is done via the following steps:
Implement authentication via the oidc-client library
After login the browser will receive an access token and can send it to GitHub
Use Express only to serve web static content
If interested in this approach, have a look at these resources of mine:
SPA and API Code Sample
Blog Post
React SPA Code Sample
I am using this npm to authenticate through Google to the system.
I have Jira atlassian, that uses Google to authenticate.
Question
Is it possible to use the token that I received from Google, and use it to authenticate into Jira's API of that user to gather information from Jira such as grabbing all tasks assigned to me, and such?
Or do I have to make OAuth specify for Jira ?
Of course you can do this, that is the point of delegated authentication.
Google will send you an authentication token when user will logs in.
I never work with google. I always used keyclock (3 part OAuth provider). But that is a beauty of a spec it should work everywhere the same.
It will be save in the cookie.
It will have o form of JWT.
You have to attache is token to the request that you send to the jira API.
You can try this with curl first
curl -i http://dev.myapp.com/api/jira ... \
-H "Authorization: Bearer Ym9zY236Ym9zY28=afsfdsf...."
You can find the token when looking at the network traffic in your browser.
Let me know how it went. And if I can help further. I have a pretty good understanding of the OpenIDconnect and OAuth 2.0 standards.
I am trying to learn robot framework and I am trying to connect my https API using BASIC authentication. Can anyone help me to start with initial setup ?
Attached is the screenshot how Iam currently connecting the REST API.
An example I found on GITHUB looked promising but no idea how to use it in my case. https://github.com/jjwong/RESTinstance_starter_project/blob/master/tests/test_basic_authentication.robot
You might need to add your username and password in headers of your request like
Authorization Basic username:password
Note you need to encode it with base64.
In case of Token based authentication
Authorization Bearer ${jwt_token}
Is there any way to validate my OAuth token for the github API? By 'token' I mean the one I get after the user has logged in to my website. I store it on the client computer using cookies, but just checking if there is a token is not enough: I need to actually check if the token is valid or not. Currently this requires me to make a request for information and then catching the errors. However, this is really damaging my rates and also my load speed as the github API is sloooow... I am using Node.js, express and the octonode library.
I tried looking at the github API docs, but they are minimal. Maybe this is to do with OAuth.
Check headers to see what OAuth scopes you have, and what the API action accepts:
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/users/codertocat -I
HTTP/1.1 200 OK
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes: user
From the Github API docs on authorizations:
OAuth applications can use a special API method for checking OAuth token validity without running afoul of normal rate limits for failed login attempts.
Authentication works differently with this particular endpoint. You must use Basic Authentication when accessing it, where the username is the OAuth application client_id and the password is its client_secret. Invalid tokens will return 404 NOT FOUND.
You can do this with curl:
curl -u client_id:client_secret https://api.github.com/applications/:client_id/tokens/:token
Or, if using fetch, use Curl to Fetch.
This is compiled from the helpful comments on the OP's question.
curl -H "Authorization: <TOKEN>" https://api.github.com/
Or
curl https://api.github.com/ -u <USERNAME>:<TOKEN>
I am creating a node.js webapp to access GettyImages API using 'Client Credentials Flow'
Does passport.js support it? if yes, how can I implement that?
passport is typically used to authenticate users on your web site. If your (web) app is calling an external API (e.g. gettyimages), and it is authenticating itself to such external system, then you probably don't need it (and won't need any framework either). The client credential flow is a simple POST:
This is taken from their docs:
POST https://api.gettyimages.com/oauth2/token HTTP/1.1
Host: api.gettyimages.com
Content-Type: application/x-www-form-urlencoded
client_id=abc123&client_secret=yoursecret&grant_type=client_credentials
Full docs here
The previous answer by #eugenio-pace is 6 years old, and since then a bunch of things have changed.
Regarding access to GettyImages API with client credentials you can either:
Still make a direct API call. This example (though in Python) shows how.
Use a GettyImages client SDK for your language. There are a number of them, but here in gettyimages-api_nodejs client credentials are explained for NodeJS.
Using option 2 above you can continue to work with the API client. If client credentials were obtained by a REST call you can use PassportJS with the passport-oauth2 to build your access logic.
PassportJS comes with many Strategies nowadays and it is worth checking first to see if other alternatives are a better choice for you.
Cool thing is that if you want to build a full OAuth2 provider solution then PassportJS can facilitate you too. Client credentials in that case are provided through the passport-oauth2-client-password strategy (based on oauth2orize) and is demonstrated in this example.
Another popular package to implement an OAuth server besides oauth2orize is oauth2-server.