Securing a nodejs / sailsjs API with OAuth2

Question

I have developed a REST API with sailsjs and I'd like to add OAuth2 authorization to secure this API. I'm quite new to OAuth and I'm not sure where to start.

I found several modules that could be used for this purposes, for instance oauth2orize and an example of its usage https://github.com/aaron524/sails-oauth2-provider-example but I do not fully understand how this is working internally.

Basically, I'll have several clients consuming the API I'm developing: - clients that I trust and that I'd like to use with the "Resource Owner Credential Authorization" - clients that I do not trust and that will connect using the Authorization Code flow

I was thinking of adding a trusted property to the Client model within the sails application and then when a user will log onto an application: - he will have a direct access to its resources (case of the trusted application) - he will be requested to approve or deny the application from accessing his resources (case of the untrusted application)

Is this a good approach ? Any pointers on how to select the corresponding strategy based on the client trusted level ?

UPDATE

I've setup the following project on GitHub, using several tutorial and projects I found.

https://github.com/lucj/sails-oauth2-api  

This project is not functional yet.

I'm still not clear on how to select the correct grant type (authorization code vs resource owner's password) when the user consume the API through an application. How to integrate this check in the policies ?

I do not manage to create the link between the OAuth endPoint (/oauth/authorize, /oauth/token) and the call to oauth2orize. Any idea ?

Answer 1

I finally struggled with Oauth2orize, sails and passport and managed to integrate OAuth2 security of my API in the project: https://github.com/lucj/sails-oauth2-api