OAuth 2.0 Flow how it works node-oauth2-server
When implementing OAuth Server in NodeJS from https://github.com/thomseddon/node-oauth2-server
I am trying to understand the OAuth 2.0 flow
Somehow I did manage to implement the npm package, but I doubt if anything is going wrong.
I will explain how successful I am.
1st REQUEST:
POST: http://localhost:3000/oauth/token
grant_type=password
client_id=1011
client_secret=somesecret
username=admin
password=admin
1st ANSWER:
{
token_type: "bearer"
access_token: "7f5261011fb0f84a4e193889fff4b7478f2a4cb2"
expires_in: 3600
refresh_token: "da83de41966979ced65b3841e1758335a811c0c2"
}
after getting the access token, I send another http call
2nd REQUEST:
GET http://localhost:3000/secret
Authorization: Bearer 7f5261011fb0f84a4e193889fff4b7478f2a4cb2
2nd ANSWER:
{"data":"Secret area accessible"}
But here I am completely confused about
Question 1. Missing authorization_code part
Question 2. On the first call, I need to send the client_secret and user_password. If I send both, the client exposes the oauth to the secret user (browser) or the User provides the OAuth Client password.
Please share me if any request / response pattern in general OAuth 2.0 like below
a. browser -> oauth server POST /oauth/authorize?client_id,username,password
b. USER GRANTS PERMISSION
c. browser -> oauth server RESPONSE auth_code
d. browser -> oauth client POST auth_code
e. oauth_client -> oauth server POST auth_code
e. oauth server -> oauth_client RESPONSE access_token
f. oauth_client -> resource_server POST /resource?access_token (Question 3. But here how resource server validates access token is valid or not )
source to share
OAuth 2.0 defines several ways to obtain an access token through so-called "grants". Your requests show that you are currently using the Resource Owner Credentials grant, see https://tools.ietf.org/html/rfc6749#section-1.3.3 . This grant does reveal the username / password for the Client, so it defeats most of the purpose of OAuth 2.0 and is for migration purposes only: https://tools.ietf.org/html/rfc6749#section-10.7
Authorization Code Provision is a separate type of grant that redirects the user with the browser to the authorization endpoint to keep the Client out of the user authentication process. You seem to be referencing this in the thread described in a.-f. Since this is a different grant type, you will not see an "authorization code" as part of the resource owner password credential credentials.
In the correct flow of providing authorization code a. it would be a redirect instead of a POST, as in:a. browser -> oauth server Redirect /oauth/authorize?client_id,response_type=code
source to share