CODEWITHSUNDEEP
node.jsoauthoauth-2.0
Manjesh V
Manjesh V

Reputation: 1240

OAuth 2.0 Flow how it works node-oauth2-server

While implementing OAuth Server in NodeJS with https://github.com/thomseddon/node-oauth2-server

I'm trying to understand flow of OAuth 2.0

Somehow i'm successful with this npm package implementation, But I doubt, Something is going wrong.

I'll explain how i'm successful.

1st REQUEST:

POST: http://localhost:3000/oauth/token
grant_type=password
client_id=1011
client_secret=somesecret
username=admin
password=admin

1st RESPONSE: 

{
token_type: "bearer"
access_token: "7f5261011fb0f84a4e193889fff4b7478f2a4cb2"
expires_in: 3600
refresh_token: "da83de41966979ced65b3841e1758335a811c0c2"
}

after getting access token, I'm sending another http call

2nd REQUEST:

GET http://localhost:3000/secret
Authorization: Bearer 7f5261011fb0f84a4e193889fff4b7478f2a4cb2

2nd RESPONSE:

{"data":"Secret area accessible"}

But here i'm fully confused about

Question 1. Authorization_code part is missing

Question 2. In first call I need to send client_secret and user_password - If I sending both means oauth client is exposing secret to user(Browser) or User is providing password to OAuth Client.

Please share me if any request/response pattern of whole OAuth 2.0 like below

a. browser -> oauth server POST /oauth/authorize?client_id,username,password
b. USER GRANTS PERMISSION
c. browser -> oauth server RESPONSE auth_code
d. browser -> oauth client POST auth_code
e. oauth_client -> oauth server POST auth_code
e. oauth server -> oauth_client  RESPONSE access_token
f. oauth_client  -> resource_server POST /resource?access_token (Question 3. But here how resource server validates access token is valid or not )

Upvotes: 3

Views: 2558

Answers (1)

Hans Z.
Hans Z.

Reputation: 53888

OAuth 2.0 defines several ways of obtaining an access token through so-called "grants". Your requests show that you're currently using the Resource Owner Password Credentials grant, see: https://www.rfc-editor.org/rfc/rfc6749#section-1.3.3. That grant is indeed exposing the username/password to the Client which is why it defeats most of the purpose of OAuth 2.0 and is for migration purposes only, see: https://www.rfc-editor.org/rfc/rfc6749#section-10.7

The Authorization Code grant is a separate grant type by which a user is redirected with a browser to an authorization endpoint so that the Client stays out of the user authentication process. You seem to refer to that in the flow described in a.-f. Since that is a different grant type, you won't see the "authorization code" as part of the resource owner password credentials grant.

In a correct Authorization Code grant flow, a. would be a redirect instead of a POST as in: a. browser -> oauth server Redirect /oauth/authorize?client_id,response_type=code

Upvotes: 6

Related Questions