oauth2orize | OAuth 2.0 authorization server toolkit for Node.js | OAuth library
kandi X-RAY | oauth2orize Summary
kandi X-RAY | oauth2orize Summary
OAuth2orize is an authorization server toolkit for Node.js. It provides a suite of middleware that, combined with Passport authentication strategies and application-specific route handlers, can be used to assemble a server that implements the OAuth 2.0 protocol. Advertisement Node.js API Masterclass With Express & MongoDBCreate a real world backend for a bootcamp directory app.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Set the oauth2 authorization page
- Check the response
- Animate the request .
- Performs a request to a set of authorization requests .
- return error handler
- function to add the last layer to the stack
- Constructs a token error instance .
- Constructs an authorization error .
- Issue a request .
- Create a new Server instance .
oauth2orize Key Features
oauth2orize Examples and Code Snippets
Community Discussions
Trending Discussions on oauth2orize
QUESTION
After I tried to connect my user account, which is stored in a MongoDB database with Alexa it's account linking function, the confirmation page says that "We were unable to link * at this time".
The OAuth2 server I run is made up from this tutorial: Building a RESTful API With Node — OAuth2 Server
The whole authentication flow is working properly and even an access token (called value) is stored in my database.
I think that this is the most important code block, since everything works til here, I think.
server.exchange
...ANSWER
Answered 2019-Mar-10 at 21:33Update: Bit funny, but all Amazon/Alexa need was just the value inside my token object. So callback(null, token);
became callback(null, token.value);
.
QUESTION
I am running mode-red module of nodejs with docker-compose in following way:
...ANSWER
Answered 2018-May-04 at 11:14As mentioned in comment by hardlib,it was actually the issue of DNS lookup and as per link,I was able to solve the same issue.Thus,reiterating those steps to avoid further confusion:
1)Find the DNS pertaining to your system:
QUESTION
I'm trying to implement an OAUTH2 server in nodeJS, which allows client app to login users using my website(like login with google and in my case it is amazon alexa, which consumes this API/Client app).
I tried using oauth2orise(https://www.npmjs.com/package/oauth2orize) and referred few links:-
- https://hnryjms.io/2014/07/oauth2/
- http://scottksmith.com/blog/2014/07/02/beer-locker-building-a-restful-api-with-node-oauth2-server/
but still I'm not being able to understand how methods are getting invoked and how exactly I should Implement the flow.
So if anyone could explain how to implement that would be helpful.
Thanks in Advance.
...ANSWER
Answered 2018-Jan-02 at 10:19This diagram is from a udemy tutorial I took when I was learning React. (https://www.udemy.com/node-with-react-fullstack-web-development/).
I am not sure if this diagram refers to the flow you were talking about so let me know if this is the case.
QUESTION
So I'm trying to implement the OAuth 2 flow, while my webapp is the server that give away authorization code/access token.
Cors error happens when sending the code back to third-party website(zapier in this case):
XMLHttpRequest cannot load https://zapier.com/dashboard/auth/oauth/return/App505CLIAPI/?code=somecode&state=somestate. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myurl' is therefore not allowed access.
If I manually open a new tab, paste that zapier uri, everything works perfectly.
Seems like a typical CORS issue, but none the popular solutions works for me:
- Add
Access-Control-Allow-Origin
: I'm using this oauth2orize library, and sending reponse to preflight seems also part of the library. So I cannot add header. - Using cors: Have tried
app.use(cors())
andapp.options('*', cors())
which should apply to all routes, but simply not working.
My webapp sits on a node express server, in front of which there's an nginx proxy server.
Any idea where the problem might be is appreciated.
...ANSWER
Answered 2017-Jun-08 at 03:24The issue that error message indicates isn’t caused by the app code running at https://myurl/
. Instead it’s just that https://zapier.com/dashboard/auth/…
doesn’t seem to support CORS.
Specifically, the response from that https://zapier.com/dashboard/auth/…
URL doesn’t include the Access-Control-Allow-Origin
response header, so your browser won’t let your frontend JavaScript code access the response.
It seems like that is all intentional on the part of Zapier—they don’t intend for that auth endpoint to be accessed from frontend AJAX/XHR/Fetch code running in a browser. Instead I guess it’s intended that you only access that auth endpoint from your backend code. Or something.
Anyway there is no way from your side that you can fix the fact the response from that Zapier API endpoint doesn’t include Access-Control-Allow-Origin
.
And as long as it doesn’t include Access-Control-Allow-Origin
, your browser will continue blocking your frontend code from being able to get to the response—and there’s no way to get your browser behave otherwise as long as your frontend code is trying to hit that API endpoint directly.
So the only solution is to not hit that API endpoint directly from your frontend code but to instead either set up a proxy and change your frontend code to make the request through that, or else just handle it in some other way in your existing backend code, as mentioned above.
The answer at "No 'Access-Control-Allow-Origin' header is present on the requested resource" gives some details on how you can set up a special CORS proxy, if you want to go that route.
QUESTION
I'm pretty new to OAuth 2.0
and OpenID Connect
and I have trouble understanding some parts of the flow (or what best practices should I use)...
Sorry for the lengthy post :)
My Setup:An
OP
(OpenID Provider) that is basically anexpress
server that usesoauth2orize-openid
andpassport
to authenticate and authorize users. Let's call ithttp://authserver.com
A
Single page application
(react+webpack) that needs to authenticate users against myOP
, Let's call ithttp://my-spa.com
Since it's an SPA (statically served by webpack) I have to use Implicit Flow
.
Once the user navigates to http://my-spa.com
, the application is loaded, then it checks against the localStorage
whether an id_token
exists.
id_token
in localStorage
on load :
- Since there's no token, I redirect to
http://authserver.com/dialog/authorize
response_type=id_token
scope=openid profile
- Once the user successfully authenticated and authorized,
authserver
redirects back tomy-spa
with theid_token
in the URI Fragment - I store the
id_token
in thelocalStorage
and the user can start using the app.
id_token
in localStorage
on load
The user closed the browser and opened it again. This is where I'm having a trouble to understand what to do. Since there's already a token (from previous login), I need to check if it's valid.
What are the best practices to do so? Here's what I'm thinking would be correct:
- Redirecting to
http://authserver.com/dialog/authorize
using :prompt=none
id_token_hint=CURRENT_TOKEN
- once
OP
receives this request, it should verify JWT signature, try to auto-approve the user and redirect back with a new JWT.
Let's say a logged-in user has it's JWT expired, when should it ask for a new one? What should trigger the renewal?
what are the/tokeninfo
or /userinfo
for?
From my understanding, JWT stores all the data required to identify a user. However I've seen examples calling /tokeninfo
or /userinfo
.
If I already have the sub
id, are these endpoints just for verifying the token (assuming I need nothing but the subject's id)?
Beside the OP
, should my-spa
verify the JWT signature (with a public key perhaps)?
If I have another web service api, call it http://my-service.com/api
which needs to know which user invoked it from my SPA, these are the steps I believe I need to perform:
- Add the
id_token
as aBearer
token to each ajax request my-service.com
should validate the JWT signature (with a public key?) and decide whether to allow or deny access to the protected resource
Any help will be appreciated!
...ANSWER
Answered 2017-Jan-07 at 07:51Your question is big, I will try to answer all the phrases marked with ?
in a generic way (without taking into account the specific frameworks you are using)
there's an id_token in localStorage on load.
The user closed the browser and opened it again. What are the best practices to do so?
You can choose between being optimistic and continue using the token, or pessimistic and request a new one.
Continue using the token if the expiration time is long enough. I assume that the token is verified in each request, so if the token is invalid you will receive a 401 and you can request a new one
Request a new token if the expiration is short or you want to require a new user authentication when the browser opens your application. If you want to check if the JWT is still valid, redirections with an auth server is not user-friendly for a SPA. I suggest to perform an AJAX call to validate and request a new token.
token get's expired after some time
This is the first case I explained above. You can prevent it issuing a new token on each request, or after fixed periods of time i.e. 1 hour
what are the /tokeninfo or /userinfo for?
I do not know these services, but their meaning can be deduced. JWT is signed, so you can trust the data contained (While the signature remains valid)
JWT signature verification, Beside the OP, should my-spa verify the JWT signature (with a public key perhaps)?
You must verify the signature for each request. If you use a symmetric key (i.e HMAC) JWT is signed and verified with the same key. With asymmetric keys (RSA), JWT is signed with private key and verified with the public key
re-using this token to access a REST API of a third service
Add the id_token as a Bearer token to each ajax request,
Correct, usually using an Authorization header
my-service.com should validate the JWT signature (with a public key?) and decide whether to allow or deny access to the protected resource
Of course, any service using the JWT must validate the signature. A external services does not own the private key, so in this case is required to use a assymetric key. You need to publish the public key so the external service could verify the token
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install oauth2orize
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page