Reputation: 2091
OAuth2 client credentials
So right now I'm implementing oauth2 in my server, but I just want to support the client_credentials grant. The thing is, the node-oauth2-server says that supports this type of grant, and I pretty much debugged the whole library, and there are some things that doesn't make sense to me.
As far as I understand, the client_credentials grant should work like this:
- An internal request should be made to generate the
client_idandclient_secretfor the client, this is the only time we will get theclient_secretand we should give this to our client - The
client_idshould be stored in database with any extra data (like the account id associated or something like this) and a hash ofclient_secretso we can later validate it - The client sends a request to the server including the
client_idandclient_secret - The server should then generate an access token (in my case I will be using JWT) and return from the request. We also need to store this token in database so we can revoke the permission if needed
- The client must use this access token in future requests to access resources from server, and the server will validate on each request if the token is valid (didn't expire, didn't lose permissions, etc)
I may be wrong about this, but this is what I need and this exactly what C# Identity does and it is explained here.
In my case I'm working with nodejs. Actually is a NestJS project, so I was trying to use this lib which is basically a wrapper for node-oauth2-server, and if you take a look inside node-oauth2-server, looks like they only support authorization codes, this is because the AuthorizeHandler.handle() always returns an authorization code and AuthenticateHandler.handle() always expects the authorization code and returns the access token. Basically I need to call the AuthenticateHandler.handle() but instead of checking the authorization code, I must pass and check the client_id and client_secret.
This is a recent issue which has the exact same issue than me: https://github.com/oauthjs/node-oauth2-server/issues/552
So, first, I want to confirm that I'm right and this lib have this implemented in a bad way, and second, is there any other nodejs lib that has client_credentials built in?
Upvotes: 0
Views: 2882
Answers (1)
Reputation: 2755
As you've mentioned that it doesn't support client_credentials grant at the moment, you can still utilize the authorization code flow grant type internally to get the access token.
- Prepare client_credentials grant type request and submit to server.
- Map this request to authorization code flow with additional
attributes require for the
authorization codeflow. - Submit the request to Authorization server.
- Get the code from response.
- Prepare the token exchange call with the
oauth code. - Get the
access_token. - Return the token in response to client_credentials call.
Upvotes: 1
Related Questions
- Node.js: OAuth2Strategy requires a clientID option
- OAuth2 Authorization Code Grant Flow Node.js mixed with Client-Side
- oauth2-server implementation nodejs
- OAuth2 server creation with nodejs
- How to use OAuth 2 for authentication in Node?
- OAuth2 Password grant with node js
- OAuth2 server: invalid or missing grant_type parameter
- Oauth2 for Node.js
- OAuth2 Password Credential flow
- NodeJS OpenID Connect Authentication Request