4

I am having some issues understanding how to implement the Resource Owners Password Flow with oAuth2rize and passport.js specifically with the transmission of the client_id and the client_secret so that i can do some checks on the client to ensure anything coming into this end point (/token) using the specific "password" grant type is specifically an official application and no others based on the id and secret.

When building out the solution i can get a token back, but that is before i have tried to do any validation on the client. When i try and access the client variable (posted to the end point) passed into the password exchange strategy i receive the user credentials (username, password) which based on documentation is expected but not what i need to achieve here.

I am at a loss to understand how i get the actual client credentials, i can see in the password function source code you can provide additional options to override the default assignment to req['user'] but does that mean i have to provide some sort of code to add to the req object?

I have setup some integration tests and here is how i am calling my endpoint (using SuperTest):

                request('http://localhost:43862')
                    .post('/oauth/token')
                    .type('form')
                    .send({ grant_type: 'password' })
                    .send({ client_id: 'goodClient' })
                    .send({ client_secret: 'asecret' })
                    .send({ username: 'good@user.com' })
                    .send({ password: 'goodpassword' })
                    .expect(200, done);

For some reason i seem to be completely over thinking this but for some reason am completely stumped....

laggingreflex
  • 32,948
  • 35
  • 141
  • 196
Modika
  • 6,192
  • 8
  • 36
  • 44

1 Answers1

4

As expected it was an understanding issue where we were using a local strategy instead of the ClientPasswordStrategy with the user validation happening within the password exchange before issuing a token.

We are now using the ClientPasswordStrategy and within the exchange.password function we are calling and internal call to our user api to validate the user credentials and if ok then issuing the token.

passport.use(new ClientPasswordStrategy(

function(clientId, clientSecret, next){

    Client.verify(clientId, clientSecret, function(err, verified){

        if(!verified){
            return next(null, false);
        }

        next(null, clientId);
    });

}
));

passport.use(new BearerStrategy(
function(token, next) {

    Token.getByToken(token, function(err, tokenObj){

        if(err)
            return next(err);

        if(!tokenObj)
            return next(null, false);

        User.getByUsername(tokenObj.username, function(err, user){

            return next(null, user, { scope: 'all' });
        });
    });
}
));
Modika
  • 6,192
  • 8
  • 36
  • 44
  • I am planning to do the same using Express + passport + oauth2orize. How do I attain this ? Use a combination of ClientPasswordStrategy + LocalStrategy ? Could you share some code on how you did it ? – ajithmanmu Nov 15 '18 at 00:58
  • @ajithmanmu To be honest, development stopped on this so all code is old (callbacks). We used a ClientPasswordStrategy to verify the user and exchange credentials for a bearer token. For subsequent requests we used a bearer token approach, which may or may not fit your bill. Note Client/User are our own api not anything to do with passport – Modika Nov 15 '18 at 21:54