For future reference, I patched everything together in a small, understandable example. oauth2api
oauth2orize with an API?
-
06-07-2023 - |
Вопрос
I'm trying to integrate an oauth2 server with an API and got terribly stuck. In the example, there are 3 different Strategies used (local, basic, bearer); Is there an explanation for that? How do I create client keys and secrets? Is there a working example for a simple login for users?
Решение 2
Другие советы
Yes, you are in for a headache :). It's not an easy to implement strategy but here is the full working example with token server and so on:
https://github.com/jaredhanson/oauth2orize
It took me several weeks to wrap my head around it and what helped a lot is to understand the Oauth2 specs themselves. There are many moving parts, in short as follows:
- User contacts the Service provider (i.e. my webmail).
- Webmail offers Facebook auth, user clicks and user gets redirected to FB auth endpoint on fb.com
- FB says, hey, Webmail wants to access your mail, allow? User says yes then
- FB redirects the user with an "access token" grated to Webmail, back to webmail callback URL
- Webmail, gets that Access token and uses it to make Webmail to FB api calls on behalf of the user.
As you can see the complications appear that there is a need to a Token Server which you need to provide to ensure that Webmail is registered with the token server as "known provider" so then user grants Webmail a permission to access FB on their behalf.
On your Webmail side you will not use any of the local/basic/bearer strategies. You will use passport-oauth2 strategy. Bearer is a valid API strategy similar to presenting an API key. If you don't need user permission to grant access to an API, I highly recommend you use passport-http-bearer strategy and you have no headaches.
I hope it helps.
Take a look at number 4. The sample works very easily: https://github.com/scottksmith95/beerlocker
Use postman and create the test user with posting to localhost:3000/api/users username yourName password yourPass
Then, use that to login when testing the api.