HTTP OAuth authentication strategy for Passport.
This module lets you authenticate HTTP requests using the authorization scheme defined by the OAuth 1.0 protocol. OAuth is typically used protect API endpoints, including endpoints defined by the OAuth protocol itself, as well as other endpoints exposed by the server.
By plugging into Passport, OAuth API authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
Note that this strategy provides support for implementing OAuth as a service provider. If your application is implementing OAuth as a client for delegated authentication (for example, using Facebook or Twitter), please see Passport-OAuth for the appropriate strategy.
❤️ Sponsors
$ npm install passport-http-oauth
The OAuth consumer authentication strategy authenticates consumers based on a
consumer key and secret (and optionally a temporary request token and secret).
The strategy requires a consumer
callback, token
callback, and validate
callback. The secrets supplied by the consumer
and token
callbacks are used
to compute a signature, and authentication fails if it does not match the
request signature. consumer
as supplied by the consumer
callback is the
authenticating entity of this strategy, and will be set by Passport at
req.user
.
passport.use('consumer', new ConsumerStrategy(
function(consumerKey, done) {
Consumer.findByKey({ key: consumerKey }, function (err, consumer) {
if (err) { return done(err); }
if (!consumer) { return done(null, false); }
return done(null, consumer, consumer.secret);
});
},
function(requestToken, done) {
RequestToken.findOne(requestToken, function (err, token) {
if (err) { return done(err); }
if (!token) { return done(null, false); }
// third argument is optional info. typically used to pass
// details needed to authorize the request (ex: `verifier`)
return done(null, token.secret, { verifier: token.verifier });
});
},
function(timestamp, nonce, done) {
// validate the timestamp and nonce as necessary
done(null, true)
}
));
Use passport.authenticate()
, specifying the 'consumer'
strategy, to
authenticate requests. This strategy is intended for use in the request token
and access token API endpoints, so the session
option can be set to false
.
For example, as route middleware in an Express application:
app.post('/access_token',
passport.authenticate('consumer', { session: false }),
oauthorize.accessToken(
// ...
});
The OAuth token authentication strategy authenticates users based on an
access token issued to a consumer. The strategy requires a consumer
callback,
verify
callback, and validate
callback. The secrets supplied by the
consumer
and verify
callbacks are used to compute a signature, and
authentication fails if it does not match the request signature. user
as
supplied by the verify
callback is the authenticating entity of this strategy,
and will be set by Passport at req.user
.
passport.use('token', new TokenStrategy(
function(consumerKey, done) {
Consumer.findByKey({ key: consumerKey }, function (err, consumer) {
if (err) { return done(err); }
if (!consumer) { return done(null, false); }
return done(null, consumer, consumer.secret);
});
},
function(accessToken, done) {
AccessToken.findOne(accessToken, function (err, token) {
if (err) { return done(err); }
if (!token) { return done(null, false); }
Users.findOne(token.userId, function(err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
// fourth argument is optional info. typically used to pass
// details needed to authorize the request (ex: `scope`)
return done(null, user, token.secret, { scope: token.scope });
});
});
},
function(timestamp, nonce, done) {
// validate the timestamp and nonce as necessary
done(null, true)
}
));
Use passport.authenticate()
, specifying the 'token'
strategy, to
authenticate requests. This strategy is intended for use in protected API
endpoints, so the session
option can be set to false
.
For example, as route middleware in an Express application:
app.get('/api/userinfo',
passport.authenticate('token', { session: false }),
function(req, res) {
res.json(req.user);
});
OAuthorize is a toolkit for implementing OAuth service providers. It bundles a suite of middleware implementing the request token, access token, and user authorization endpoints of the OAuth 1.0 protocol.
The toolkit, combined with the ConsumerStrategy
and a user authentication
strategy can be used to implement the complete OAuth flow, issuing access tokens
to consumers. TokenStrategy
can then be used to protect API endpoints using
the access tokens issued.
The example
included with OAuthorize
demonstrates how to implement a complete OAuth service provider.
ConsumerStrategy
is used to authenticate clients as they request tokens from
the request token and access token endpoints. TokenStrategy
is used to
authenticate users and clients making requests to API endpoints.
$ npm install --dev
$ make test
Copyright (c) 2012-2013 Jared Hanson <http://jaredhanson.net/>