oauth2orize with an API?

Question 1

For future reference, I patched everything together in a small, understandable example. oauth2api

Question 2

Yes, you are in for a headache :). It's not an easy to implement strategy but here is the full working example with token server and so on:

https://github.com/jaredhanson/oauth2orize

It took me several weeks to wrap my head around it and what helped a lot is to understand the Oauth2 specs themselves. There are many moving parts, in short as follows:

User contacts the Service provider (i.e. my webmail).
Webmail offers Facebook auth, user clicks and user gets redirected to FB auth endpoint on fb.com
FB says, hey, Webmail wants to access your mail, allow? User says yes then
FB redirects the user with an "access token" grated to Webmail, back to webmail callback URL
Webmail, gets that Access token and uses it to make Webmail to FB api calls on behalf of the user.

As you can see the complications appear that there is a need to a Token Server which you need to provide to ensure that Webmail is registered with the token server as "known provider" so then user grants Webmail a permission to access FB on their behalf.

On your Webmail side you will not use any of the local/basic/bearer strategies. You will use passport-oauth2 strategy. Bearer is a valid API strategy similar to presenting an API key. If you don't need user permission to grant access to an API, I highly recommend you use passport-http-bearer strategy and you have no headaches.

I hope it helps.

Question 3

Take a look at number 4. The sample works very easily: https://github.com/scottksmith95/beerlocker

Use postman and create the test user with posting to localhost:3000/api/users username yourName password yourPass

Then, use that to login when testing the api.