oauthjs / node-oauth2-server Goto Github PK

Hi Thom,

I used node-oauth2-server v1.0 and I was able to disable OAuth 2.0 with a simple condition to set up a dev environment :

if (config.oauth.enabled) {
    app.use(oauth.handler());
    app.use(oauth.errorHandler());
    console.log ('Oauth 2.0 is enabled');
};

How could I recreate this behavior with node-oauth2-server v2.X ?

Cheers !
Alex

According to the OAuth 2.0 spec client_id and client_password are not a part of the request (see http://tools.ietf.org/html/rfc6749#section-4.3.1). This lib does require them however for ever grant type (if I'm reading the code correctly). Is there a particular reason for this?

The code in question is here: grant.js#L30 and grant.js#L65

I use 'allow' option to pass certain urls without authentication:

var oauth = oauthserver({
    model: require('./src/oauth-model'),
    grants: ['password'],
    allow: ['/candidate/[0-9a-f]+/avatar', '/application/[0-9a-f]+/avatar'],
    debug: true,
    accessTokenLifetime: null,  // non-expiring tokens
    passthroughErrors: false
});

And on servers I randomly receive 400 error saying that access token has not been found.

It is same url, called continously. I tried even cURL to make sure browser is not an issue:

GET /application/528ca668e4b0f801e/avatar 200 30ms
GET /application/528ca668e4b0f801e/avatar 200 30ms
{ code: 400,
  error: 'invalid_request',
  error_description: 'The access token was not found',
  stack: undefined }
{ code: 400,
  error: 'invalid_request',
  error_description: 'The access token was not found',
  stack: undefined }
GET /application/528ca668e4b0f801e/avatar 400 1ms - 104b
GET /application/528ca668e4b0f801e/avatar 400 1ms - 104b
GET /application/528ca668e4b0f801e/avatar 200 32ms
GET /application/528ca668e4b0f801e/avatar 200 32ms
{ code: 400,
  error: 'invalid_request',
  error_description: 'The access token was not found',
  stack: undefined }
{ code: 400,
  error: 'invalid_request',
  error_description: 'The access token was not found',
  stack: undefined }
GET /application/528ca668e4b0f801e/avatar 400 1ms - 104b
GET /application/528ca668e4b0f801e/avatar 400 1ms - 104b
GET /application/528ca668e4b0f801e/avatar 200 26ms
GET /application/528ca668e4b0f801e/avatar 200 26ms

I use 1.5.3 version - can you give some clue what may be possibly wrong?

See: bigmountainideas@9c24b7a from @bigmountainideas

Please add example auth code of expressjs, mongodb. Models, routes

I have tried to follow the flow of the authentication process and it seems that once the "model.grantTypeAllowed" function is called, the OAuth server returns the following as a response:

$ http -f -v --auth test:test POST http://localhost:3000/oauth/token grant_type=client_credentials
POST /oauth/token HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, compress
Authorization: Basic dGVzdDp0ZXN0
Content-Length: 29
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: localhost:3000
User-Agent: HTTPie/0.6.0

grant_type=client_credentials

HTTP/1.1 400 Bad Request
Connection: keep-alive
Content-Length: 123
Content-Type: application/json; charset=utf-8
Date: Tue, 18 Feb 2014 09:43:32 GMT
X-Powered-By: Express

{
    "code": 400, 
    "error": "invalid_request", 
    "error_description": "Invalid grant_type parameter or parameter missing"
}

This is the code for the model.grantTypeAllowed:

var authorizedClientIds = ['test', 'def2'];
model.grantTypeAllowed = function (clientId, grantType, callback) {
  console.log(5);
  if (grantType === 'password' || grantType === 'client_credentials') {
    return callback(false, authorizedClientIds.indexOf(clientId.toLowerCase()) >= 0);
  }

  callback(false, true);
};

The code in the grantTypeAllowed function is straight from the example and is setup the way it is now for testing purposes. Just an FYI.

And here is the code for the oauth server:

app.configure(function() {
  app.oauth = oauthserver({
    model: require('./model'),
    grants: ['client_credentials'],
    debug: true
  });
  app.use(express.bodyParser()); // REQUIRED
});

app.all('/oauth/token', app.oauth.grant());

Any ideas on why oauth would return that json response?

I have created a couple of custom middlewares, one is enriching request with data about currently logged in user. Order in main .js script is as follows:

var app = express();

// ...
//Create OAuth2
var oauth = oauthserver({...});

// ...
app.use(express.bodyParser());
app.use(express.methodOverride());

// ... enable OAuth
app.all('/oauth/token', oauth.grant());
// ...
app.use(require('./src/middleware/userinfo').userInfo);
app.use(require('./src/middleware/tracking'));
// ...
app.use(app.router);
// ... routes go here
require('./src/routes/ping')(app);

Now app is able to obtain access token, but it fails on any requests because none of my middlewares were executed (I added log statements to check this).

If I move app.all('/oauth/token', oauth.grant()); below middlewares are defined, I get HTTP 400 - access token is invalid.

I see configuration changed a little in 2.x and I would appreciate any hint.

What oauth2 flow using in this library?

i read the provided documentation for node-oauth2-server.i am trying to run this example.i set up all the things:

var express = require('express');
oauthserver = require('node-oauth2-server');

var app = express();
app.configure(function() {
var oauth = oauthserver({
model: require('./model'), // See below for specification
grants: ['refresh_token'],
allow:['/path1'],
debug: true
});
app.use(express.bodyParser()); // REQUIRED
app.use(oauth.handler());
app.use(oauth.errorHandler());
});

app.listen(3000);

Now i get the concept of model object for password.for getting refresh_token what to do ?? for example in google oauth.first we get code parameter on redirect uri then we make a call to token url.how to implement refresh_token oauth.and no role is mentioned of redirect_uri. but its required for 3 legged oauth.Please explain implementation. on which url user have to direct for login.

We're considering a deployment in a couple of weeks and wondered if we should be waiting. Is it going to be painful to migrate to 3.0?

at line 90 and 115 in examples / mongodb / model.js
now: function (token, clientId, userId, expires, callback)
must be: function (token, clientId, expires, userId, callback)
And also inside methods userId is not ID, it's user object.
So maybe change in arguments userId to user.

Hi,

I am trying to add support for .grant() to https://github.com/thomseddon/koa-oauth-server

I am hitting an issue right now because node-oauth2-server is relying on an express feature: https://github.com/thomseddon/node-oauth2-server/blob/edde388305747a14ae5ad6d0506da84f0d0e4667/lib/grant.js#L431

In vanilla node we do not have access to .jsonp. How would you fix it?

Anyone any opinion on node-oauth2-server Vs oauth2orize for implementing a Node Oauth2 Identity provider?

I'm after a full provider IE something that provides a method to do full user account management..

Thanks :)

hi

i was trying to use DELETE method on my api project but you oauth module blocked the request by this error : When putting the token in the body, the method must be POST.

Would make it a lot easier to approach

Hello,

Im a little new with OAuth2. Im not 100% clear on how to pass in a null clientSecret.

I noticed under getClient (clientId, clientSecret, callback) i can pass in string|null for clientSecret

However, i keep seeing this error "Missing client_secret parameter" when i try posting with this body
"grant_type=password&username=johndoe&password=A3ddj3w&client_id=spa"

I noticed this is from this line master/lib/grant.js:88

Im not sure exactly how to pass in a null client_secret. Can you kindly assist?

There are various beliefs on how to design APIs and how to handle errors. Some of the best advices that I know are given by Les Hazlewood in REST+JSON API Design - Best Practices for Developers [Youtube] where he suggests to output the response consistently with the following properties:

1. status: a numeric value of the HTTP status code which should be returned in every response.
2. error: an ASCII error code if any.
3. message: an end-user friendly message which should be displayed to a user directly.
4. developerMessage: a more technical error message designed for application developers.

As of [email protected], the following error is returned when access token is missing.

{
  "code": 400,
  "error": "invalid_request",
  "error_description": "The access token was not found"
}

Considering the above suggestions, here is how it would look when an error occurred.

{
  "status": 400,
  "error": "invalid_request",
  "message": "The application you are trying to use seems to be configured incorrectly. Please contact the application developers.",
  "developerMessage": "The access token was not found."
}

It would be awesome if you considered this change. If necessary, I can send a PR.

Hey,

I know it's not the place, but first, thanks,
Although the key feature of oauth is the authorization grant, I still chose to use this module because it's the first cleanest and well tested oauth server for node 👍

Back to the reason I opened an issue: authorise.js produces an invalid_request for a missing token and invalid_grant when a token is invalid,

I think this should be improved a bit in a way where:

missing token should cause 'missing_token', and invalid token should cause 'invalid_token', both cases, when accessing a protected resource should respond with error 401, otherwise it's really hard to determine in the client side whether the request was malformed or just a valid call of unauthorized request.

Thanks

Hello all,
Am I making correct assumption that npm's release called '1.5.2-invalid-token' should have been built from 'invalid-token' branch?

I looked at sources (lib/error.js) and apparently this release does not contain the change which sets 401 status when token is invalid.

Here is link to tarball downloaded by npm:

http://registry.npmjs.org/node-oauth2-server/-/node-oauth2-server-1.5.2-invalid-token.tgz

i have two doubt

1. i got the point of implementing all the functions but where function getAccessToken and getRefreshToken utilized or called ?? i get the point from your comment How to implement.
   2.when ever i pass an error in any function like

model.saveAccessToken = function (accessToken, clientId, userId, expires, callback) {

callback({'error':'invalid response'},false);

};

then it will give the response
{
code: 503
error: "server_error"
error_description: "server_error"
}
if there is any custom mistake or error then can i change this response to some thing else manually .can i customize error message using this library??

how the refresh token can be created?

or what is the url to issue refresh token?

or anything about it ... plz help

Not just status code and regex match on content

Heads up that this repo has been moved to: https://github.com/thomseddon/node-oauth2-server

Currently, lib/grant.useAuthCodeGrant enforces a constraint on "user" data that it has an id parameter. Why? It seems unseemly to even pass around an object called user. I'd rather that I could just attach any data I want to the access token.

As I understand it, the purpose of the user object is to be put onto an incoming HTTP request by lib/authorise.checkToken (i.e. using authorise as middleware in a route). I would rather that this be a fallback behavior, and that I could, instead, explicitly define what data gets populated on my request object (as part of the model).

Let me know how you feel about this. I will be happy to send a pull request, if desired.

It's been a while coming, but it is now officially on it's way

in empty folder project
$ npm install

[email protected] node_modules/supertest
├── [email protected]
└── [email protected] ([email protected], [email protected], [email protected], [email protected], [email protected], [email protected])

[email protected] node_modules/mocha
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
└── [email protected] ([email protected])

[email protected] node_modules/express
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected] ([email protected])
└── [email protected] ([email protected], [email protected], [email protected], [email protected], [email protected])

$ node test.js

Error: .post() requires callback functions but got a [object Undefined]

grant.js line 249

refreshToken.clientId does not exist. we correct in refreshToken.client_id or we miss someting?

thank you

if (!refreshToken || refreshToken.client_id !== self.client.clientId) {         
  return done(error('invalid_grant', 'Invalid refresh token'));
} else if (refreshToken.expires !== null &&
    refreshToken.expires < self.now) {
  return done(error('invalid_grant', 'Refresh token has expired'));
}

if (!refreshToken.user_id) {
  return done(error('server_error', false,
    'No user/userId parameter returned from getRefreshToken'));
}

self.user = refreshToken.user_id || { id: refreshToken.userId };

if (self.model.revokeRefreshToken) {
  return self.model.revokeRefreshToken(token, function (err) {
    if (err) return done(error('server_error', false, err));
    done();
  });
}

done();

});
}

On getClient() one is expected to return a "client" but the README doesn't talk about it.
What should a client have?

Tag them!

It seems as if the authentication code implementation requires the model's getClient() method to return an object with a redirectUri attribute, but only the clientId attribute is documented.

I am receiving a 500 Internal Server Error every time authentication fails. With in the body of the response an uncorrectly formatted json. The keys should have single quotes around them and the status in the header should be set correctly.

{
  code: 400,
  error: 'invalid_grant',
  error_description: 'User credentials are invalid',
  stack: undefined
}

I am not exactly sure why, but I think it has something to do with how the error is thrown. For instance in usePasswordGrant() the done function is called with the error object. This also throws a Server Error in my case even though it's not really a server error.

A nice solution for me was to send this object to the client. In the runner.js file I changed line 16 from:
if (err || pos === last) return next(err);
to:

if (err) {
  if (err.headers) context.res.set(err.headers);
  return context.res.json(err.code, err);
}
if (pos === last) return next();

This way the error gets send back to the client like it should (in my opinion). The changes I made are in my fork.

Thoughts?

When invalid token is provided by client, provider returns 401 response.

According to HTTP specs, it must be accompanied with WWW-Authenticate header: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2

And actually there are some picky HTTP clients, for example on Samsung Android phones, which are throwing exception when there is no header.

// Handle login
app.post('/login', function (req, res, next) {
  // Insert your own login mechanism
  if (req.body.email !== '[email protected]') {
    res.render('login', {
      redirect: req.body.redirect,
      client_id: req.body.client_id,
      redirect_uri: req.body.redirect_uri
    });
  } else {
    // Successful logins should send the user back to the /oauth/authorise
    // with the client_id and redirect_uri (you could store these in the session)
    return res.redirect((req.body.redirect || '/home') + '?client_id=' +
       req.body.client_id + '&redirect_uri=' + req.body.redirect_uri);
  }
});

I am going rounds with oauth on an API i am trying to get right, I am having trouble with this one particular example ^^ in: https://github.com/thomseddon/node-oauth2-server/blob/master/examples/postgresql/index.js

I hate to ask for a gimme, but is this where I can plant a local username-password strategy? If I am trying to store a session with a bearer token, where do I plant this with X, (passport or something)? I have something like:

// model for oauth
model.getUser = function (username, password, callback) {
  Models.User.find({
    where: ['lower("Users"."username")=? AND "Users"."deletedAt" IS NULL', username.toLowerCase()]
  }).success(function(user) {
    if (!user) { 
      return callback('Unknown user ' + username ); 
    }
    user.verifyPassword(password, function(result) {
      if (result)
        return callback(null, user);
      else
        return callback('Invalid password');
    });
  })
};

//passport local stategy
passport.use(new LocalStrategy(
  function(username, password, done) {
    process.nextTick(function () {
      Recommender.Models.User.find({
        where: ['lower("Users"."username")=? AND "Users"."deletedAt" IS NULL', username.toLowerCase()]
      }).success(function(user) {
        if (!user) { 
          return done(null, false, { message: 'Unknown user ' + username }); 
        }
        user.verifyPassword(password, function(result) {
          if (result)
            return done(null, user);
          else
            return done(null, false, { message: 'Invalid password' });
        });
      })
    });
  }
));

to verify a user. Can you organize my thoughts on what i should be doing on the app.post('/login') route? Maybe I am way off... Thanks for making good code available to guys trying to do side projects with full time jobs!

I get an error when making a refresh_token request on a Mongoose-based setup. The error I get states that the client_id is invalid, and when debugging I noticed that on

function useRefreshTokenGrant (done) {
  var token = this.req.body.refresh_token;
  if (!token) {
    return done(error('invalid_request', 'No "refresh_token" parameter'));
  }

  var self = this;
  this.model.getRefreshToken(token, function (err, refreshToken) {
    if (err) return done(error('server_error', false, err));

    if (!refreshToken || refreshToken.clientId !== self.client.clientId) {
      return done(error('invalid_grant', 'Invalid refresh token'));
    } else if (refreshToken.expires !== null &&
        refreshToken.expires < self.now) {
      return done(error('invalid_grant', 'Refresh token has expired'));
    }

    if (!refreshToken.user && !refreshToken.userId) {
      return done(error('server_error', false,
        'No user/userId parameter returned from getRefreshToken'));
    }

    self.user = refreshToken.user || { id: refreshToken.userId };

    if (self.model.revokeRefreshToken) {
      return self.model.revokeRefreshToken(token, function (err) {
        if (err) return done(error('server_error', false, err));
        done();
      });
    }

    done();
  });
}

at if (!refreshToken || refreshToken.clientId !== self.client.clientId) {}, the refreshToken has no clientId, but just the'client_id. I'm not very familiar with the codebase, but I know that somewhere there's an internal function that converts a model object from client_id to clientId, so there might be a leak where this conversion isn't taking place.

After manually fixing it, I notice that the next error I get is the one below, but if I figure out what's causing it I'll submit a PR or an issue.:

{
  "code": 503,
  "error": "server_error",
  "error_description": "server_error"
}

https://github.com/thomseddon/node-oauth2-server/blob/2.0/lib/authCodeGrant.js#L105

Should be like: https://github.com/thomseddon/node-oauth2-server/blob/2.0/lib/grant.js#L144

Found in #22

From #53

While the current randomly generated tokens can't easily be guessed, it'd be great to add a MAC support for generated tokens. For reference, this ruby implementation handles authorization tokens with HMAC.

Edit: The original description mentioned UUID, but that was a mistake as the current implementation does not use UUIDs and rather uses a hash of random bytes (see comments below for details).

hi

how can i make the oauth server ignoring some paths while checking for access token

for example :

http://localhost:1337/allowed

dont use oauth authorization when the get uri is 'allowed'
?

According to: http://tools.ietf.org/html/rfc6749#section-5.2

• invalid_request
• invalid_client
• invalid_grant
• unauthorized_client
• unsupported_grant_type

Should all be accompanied with a 400 Bad Request.

Breaking change hence 2.0

Hi!

I believe there's an error in the line below:
https://github.com/thomseddon/node-oauth2-server/blob/master/lib/grant.js#L453

Where you see if (this.continueAfterResponse) shouln't it be if (this.config.continueAfterResponse) ?

Cheers

Hi Thom,

I'm having an issue with refresh_token. Here is how I get it :

• A user is logged in, he receives an access token and a refresh token
• User sends authentified requests using access token, until...
• The access token has expired, the refresh token is used to give another access token and refresh token to the user.
• User sends authentified requests using access token, until...
• The access token has expired, the refresh token is used to give another access token and refresh token to the user, but this time there is no UserId given to saveAccessToken and saveRefreshToken, I save tokens in mongodb anyway.
• User sends authentified requests using access token, until...
• In getRefreshToken, error No user/userId parameter returned from getRefreshToken occurs, and the user is disconnected

Is it a normal behavior? Am I missing something?

Bye,
Alex

Add use scope

I'm trying to see if i got the postgres example working.

Verify user creation

(based on the tests)

$ curl http://127.0.0.1:3000/oauth/token --request POST --data  '{"grant_type": "password", "client_id": "thom", "client_secret": "nightworld", "username": "thomseddon", "password": "nightworld"}' --header "Content-Type: application/x-www-form-urlencoded"
#{
# "code": 400,
# "error": "invalid_request",
# "error_description": "Invalid or missing grant_type parameter"
#}

Verify user authorization

(based on the tests)

$ curl http://127.0.0.1:3000/oauth/authorise --request POST --data  "{response_type: 'code', client_id: 'thom', redirect_uri: 'http://nightworld.com'}" --header "Content-Type: application/x-www-form-urlencoded"
# TypeError: Cannot read property 'user' of undefined
# ln:20  if (!req.session.user) {

Is there any examples of extending this server to include:

• User account creation
• Admin User account management
• Password reset functionality

Or is it expected the admin will implement these things themselves?

For routes like this:

/persons
/persons/12

Can i use regular expressions for describing rules?

First let me just say great work on this. I've been following this project for a while and I'm really happy how it's coming out. There are zero Node OAuth2 implementations up to date and you are solving that problem. Awesome.

There is a SAML 2.0 Bearer Assertion type out which is really quite useful. I know that nobody likes depending on a PHP/Ruby lib just to implement SAML support if they are writing a Node app, so I can definitely see this as something being used.

The official specification is here:
http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-17

I've released the 2.0 branch as RC1 as it's been pretty stable for a few months.

I'm hoping to make the switch to defaulting to 2.0 within a week or so :)