OAuth let client application access user's protected resources without resource owner sharing their credentials with the client application. Instead of using resource owner's credential, client application obtains access token which has specific scope and lifetime and use that to access protected resource. Following steps are involved in auth code grant type.
Step1
Step1
The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI
- client_id (required)- authorization server issue the registered client
- response_type (required) - for this case it will be code
- redirect_uri (optional) - to which the authorization server will send the user-agent back once access is granted or denied, this should be same as what is registered by the client
- scope (optional)- scope of access request
- state (optional)- An opaque value used by the client to maintain state between the request callback.
https://accounts.google.com/o/oauth2/auth?
scope=https://www.googleapis.com/auth/userinfo.profile&
response_type=code&
redirect_uri=http://localhost:3000/auth/google/callback&
client_id=clientid from google developer
You can use passport-google-oauth npm package and use following code in order to achieve this.
passport.use(new googleStrategy({
clientID: "1071015616274-as07l0j0iuhpnll3o5auakjbssc3brl7.apps.googleusercontent.com",
clientSecret: 'O7HoSqMNZD7gkitrSzAUWLpv',
callbackURL: "http://localhost:3000/auth/google/callback"
}, function (req, accessToken, refreshToken, profile, done) {
done(null, profile);
}));
app.get('/auth/google',
passport.authenticate('google', {
scope: ['https://www.googleapis.com/auth/userinfo.profile', 'https://www.googleapis.com/auth/userinfo.email']
}));
if you are using passport-google-oauth, refer following where this redirect happens
node_modules\passport-google-oauth\node_modules\passport-oauth\node_modules\passport-oauth2\lib\strategy.js
Step 2
Authorization server authenticate resource owner and resource owner authorizes client application to access its resource. User never share its credential with the client application.
Step 3
If the resource owner grant access, the authorization service redirects the user back to your site with an auth code
http://localhost:3000/auth/google/callback?code=xxxxx
Step 4
Client application make a request to authorization server's token endpoint by sending auth code (received in the previous step)
Request looks something like this
POST https://accounts.google.com/o/oauth2/token
grant_type=authorization_code&
redirect_uri=http://localhost:3000/auth/google/callback& (same as what was sent in authorization request)
client_id=xxx& (secret issued to client during registration process)
client_secret=xxx& (secret issued to client during registration process, this is never visible to user agent)
code=xxx (code which was received in earlier step)
Response may look like
{
"access_token" : "xxx",
"token_type" : "Bearer",
"expires_in" : 3431,
"id_token" : "xxxx"
}
If you are using passport-google-oauth npm package, this call happens in the module OAuth2 (node_modules\passport-google-oauth\node_modules\passport-oauth\node_modules\passport-oauth2\node_modules\oauth\lib\oauth2.js). It then pass
Client application use access token from here on to access user's protected resource
No comments:
Post a Comment