I am creating a node.js webapp to access GettyImages API using 'Client Credentials Flow'
Does passport.js support it? if yes, how can I implement that?
passport is typically used to authenticate users on your web site. If your (web) app is calling an external API (e.g. gettyimages), and it is authenticating itself to such external system, then you probably don't need it (and won't need any framework either). The client credential flow is a simple POST:
This is taken from their docs:
POST https://api.gettyimages.com/oauth2/token HTTP/1.1
Host: api.gettyimages.com
Content-Type: application/x-www-form-urlencoded
client_id=abc123&client_secret=yoursecret&grant_type=client_credentials
Full docs here
The previous answer by #eugenio-pace is 6 years old, and since then a bunch of things have changed.
Regarding access to GettyImages API with client credentials you can either:
Still make a direct API call. This example (though in Python) shows how.
Use a GettyImages client SDK for your language. There are a number of them, but here in gettyimages-api_nodejs client credentials are explained for NodeJS.
Using option 2 above you can continue to work with the API client. If client credentials were obtained by a REST call you can use PassportJS with the passport-oauth2 to build your access logic.
PassportJS comes with many Strategies nowadays and it is worth checking first to see if other alternatives are a better choice for you.
Cool thing is that if you want to build a full OAuth2 provider solution then PassportJS can facilitate you too. Client credentials in that case are provided through the passport-oauth2-client-password strategy (based on oauth2orize) and is demonstrated in this example.
Another popular package to implement an OAuth server besides oauth2orize is oauth2-server.
Related
Due to the lack examples of oauth2 in node.js, I can't decide where to implement the oauth2 service. Also, I wanna know what is the meaning of provider in oauth2 and when to create a new one and when to use a pre-made one like google.
I tried to implement a provider in the server-side but I didn't know how to test it.
If there are any useful resources I would be happy to take them.
You should use Open Id Connect (Authorization Code Flow + PKCE) in your Angular app. You should validate OAuth 2.0 access tokens in your API. Both of these components should interact with a 3rd party Authorization Server. There is a learning curve and my tutorial + code sample may help you - feel free to post back if you get stuck: https://authguidance.com/2017/09/24/basicspa-overview/
oauth2 provider means wich service to use to auth, eg server-side will mean the user creates an account on your Server, google would mean users sign in with their google accoutns to your site.
I am doing a project with angular as the front end and nodejs as the backend.
The database and authentication mechanisms are managed by firebase cloud.
The problem is i am stuck with the authentication mechanism.
It seems there are a lot of ways we can manage authentication using firebase.
I want my backend to deal with the authentication part, and i am using a email and password ecosystem for authentication.
But it seems that there is 2 npm packages one for angular firebase and another one for nodejs firebase-admin.
I am in a mess to determine what method to use and how to use it effectievly to manage the authentication flow here, due to overflow of resources.
There seems to be signInWithUserNameAndPassword in firebase and there seems to be signInWithCustomToken in the firebase-admin.
Can anyone show me the right path to go through?
I looked at this answer but i don't know why we need to pass the token back to client and then pass it to admin side again for verification?
The client side in my app is a web project.
Is there any mistake on my understanding?
Thank you in advance
You will use signInWithUserNameAndPassword method. A token will be returned to you which you can store in localStorage which is security wise a bad idea but is okay for simple projects for practice. Alternatively, you can use angular-persistence or similar libraries to persist your state. Then, you can authenticate a user with whether his/her token is present in state or not.
firebase-admin doesn't support any user authentication APIs. So you must do your authentication at the client-side using the firebase package, and the signInWithEmailAndPassword() API it provides: https://firebase.google.com/docs/auth/web/password-auth
I'm creating a REST API server with Node.js and Express + MongoDB.
This API will have different mobile clients (iOS, Android) and possibly a web app later on.
I need users to login in order to perform some API requests. There are no 3rd party apps I want to connect with (no Facebook, Google etc). I also don't want to force the users to visit a webpage or anything like that in order for them to login.
From what I've seen on my many searches on SO, the best approach would be to let users login with full credentials once, send them a token in return, and use that token to verify future requests until it expires.
However, I'm not sure how to implement this.
I'm very confused with all of the different strategies. Is this done with basic authentication over HTTPS, with OAuth, OAuth 2.0, ... ? I just don't know what to use.
Also, I really don't want to reinvent the wheel here, not because I'm lazy, but mainly because of security concerns. Is there a library I could use to implement this? I've heard of Passport, but I couldn't understand if this is doable or not. This sounds like such a generic thing I'm sure there's a simple solution out there.
Thanks!
Now you can use Passport.js with JWT (JSON Web Tokens) with Passport-JWT. It's pretty easy to use.
Once a user is logged in, you send a token to the user. The token contains data about the user, like an id (encoded, of course). On the subsequent requests (at least where authentication is required) you make sure, that the client sends the token. On the server, you can see who sent the request (and e.g. check the user's authorization), just by looking at the token. For more info on how JWT work check this out.
There are different ways to send the token. Just have a look at the docs and it'll be clear. If not, this also helped me.
I feel you need to setup a Token Based Authentication process in your server, so you can make requests from different types of clients (Android, iOS, Web, etc.). Unfortunately, Passport documentation (and Passport-based tutorials) seems to be aimed for "web applications" only, so I do not think you should be using it for those purposes.
I did something similar following this great tutorial: http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543
The client part in this tutorial is based on AngularJS, but can easily apply the same principles in a mobile client (it is just a matter of making HTTP requests including a token retrieved when you post in "/signin" or "/authenticate").
Good luck!
There is an example of RESTful service with oauth2 authentication: https://github.com/vedi/restifizer-example. I hope it will help.
I am developing an app using node.js which will also have an mobile client. I am looking to make the authentication using OAuth 2.0. Is there any good module which allows me to have OAuth 2.0 authentication server?
I looked at a subsidiary module of Passport "OAuth2orize". I found it quite good enough, but the real problem was understanding how it will work for my own app (the example and docs specify about third party authorisation).
Basically what I want is that the client logs in with client id, user's username, user's password and there by I hand him a token after verifying the above 3 things. But the problem with Oauth2orize is that there there are redirect URI and all which is confusing me a lot.
Please help me know as to how can i achieve this using Oauth2rize or any other really good module. Or If its easy enough I can also roll my own, but will that be a good idea regarding security ??
What you are looking for is the Resource Owner Password Credentials flow. As you've seen, the examples for oauth2 do not include functionality that supports this flow. In fact the examples only cover the Authorization Code flow.
It should end up being fairly easy to implement. All you need to do is accept a request that contains the information you are looking for (and authorize it) and create a token in your token database and return it. As long as you use the same token database that the rest of oauth2orize is using, it should work just fine. See: Passing Trusted Client Information with oAuth2orize for the "Resource Owner Password Flow" where that is exactly what is suggested.
Correction:
The all-grants example of oauth2orize supports the Implicit flow as well as Authorization Code flow.
I am using node (8.14.0) and want to access the Twitter REST API v1.1.
I tried node-oauth so far and simple https, but none of them worked further then "login with twitter".
I don't just want to authenticate user's (aka sign in with twitter), I want to perform actions on the API with their access.
My problem is, I have not found a single example for node describing the actual process of retrieving the needed access/request tokens from the user and performing the API call with them.
All node-oauth examples "assume that you already have access token and access whatever". Well I do not have them, and I do not know how to get them, since I find no concrete example or documentation. Only a reference to a reference.
As I know the oauth libraries are to authenticate or authorize.
While the authentication you get back the accestoken and refreshtoken from the platform.
This tokens you have to save in your session or database.
After that you can use it in combination with other libraries.
I suggest to have a look at passport or everyauth for user authentication. They both support oauth.
in addition:
Google has a pretty good documentation about OAuth in general. I think this schema can be applied to other platforms too.
https://developers.google.com/accounts/docs/OAuth2?hl=en