OAuth 2.0 is the current industry standard for authorization. It allows third-parties to access information across websites without needing the credentials for each website.
OAuth 2.0 has different grant types which affect the flow for obtaining an access token. Each grant type is optimized for a specific type of application based on complexity and severity. The grant type chosen will depend on whether the code can securely store a secret key and the trust level between a user and a client.
Access tokens describe the authorization of an application to access certain aspects or operations of data. They are used as a part of an API request.
Access tokens have a certain amount of time in which they can be used called an Access Token Lifetime. This time is meant to be kept short.
oauth-server
ModuleThe oauth2-server
module is one of many modules that provide OAuth 2.0 authorization for Node.js applications.
oauth2-server
Model ObjectAn oauth2-server
instance needs a model object which contains functions to retrieve, store, and validate our access tokens.
OAuth 2.0 defines four roles:
Public clients cannot securely store credentials. They can only use grant types that don’t require the Client Secret.
Confidential clients are applications that can be secured without being exposed to a third-party application/server. It can be registered to an authorization server using a Client ID and a Client Secret as credentials.
getClient()
FunctionAuthorization flows require using the getClient()
function to retrieve a client by the client’s ID and/or Secret.
saveToken()
FunctionAuthorization flows require using the saveToken()
function to store the access token as a database object.
getUserFromClient()
FunctionThe getUserFromClient()
function retrieves the user associated with the specified client. This function must be implemented to use the Client Credentials grant type.
getAccessToken()
FunctionThe getAccessToken()
function retrieves tokens that were saved by the saveToken()
function.
authenticate()
MethodThe authenticate()
method returns a Promise
that resolves to an access token object. The token is retrieved via the getAccessToken()
method of the provided model.
A Client ID is a public identifier for apps that is unique across all clients and the authorization server.
A Client Secret is a secret key known only to the application and an authorization server.