The main idea - loctx21/oauth2orize GitHub Wiki
Oauth2orize is a great library that was featured on passporjs.org. However, It's not easy to get its main idea, key development cycle just by reading its documentation. That's why I created this Wiki to document how I learn to use this library.
Important concepts
- The purpose of OAuth2
- OAuth2 4 roles
- OAuth2 flow, its stages
- Which OAuth2's role does Oauth2orize handle?
- The purpose of Passport and how it differs from OAuth2orize
The purpose of OAuth2
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Source
OAuth2 4 roles
| Role | Definition |
|---|---|
| resource owner | An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user. |
| resource server | The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. |
| client | An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices). |
| authorization server | The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. |
OAuth2 flow, its stages
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
Which OAuth2's role does Oauth2orize handle?
OAuth2orize is an authorization server toolkit for Node.js. It provides a suite of middleware that, combined with Passport authentication strategies and application-specific route handlers, can be used to assemble a server that implements the OAuth 2.0 protocol.
The purpose of Passport and how it differs from OAuth2orize
Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Source
Passport utilizes different strategies to authenticate the requests by validating tokens (JWT, bearer...) that the client acquired from OAuth2orize.