Skip to content

defless/OAuth-2.1-example

BranchesTags

Repository files navigation

OAuth 2.1 implementation sandbox 🔐

This repository is an object lesson of an OAuth 2.1 protocol integration on a basic Fastify API. I made it for learning purposes, so feel free to contribute ! 🙃

Table of Contents

Installation

To start, just clone this repository and then use:

yarn install # or using pnpm: pnpm install

Before starting the node server, be sure to have a .env file matching .env.example. (I will come back after on the specific values to setup in it)

Then just run the following start command:

yarn dev # or using pnpm: pnpm dev

The auth server is by default listening on port 3000

What is OAuth

OAuth 2.0

I won't reinvent the wheel so I suggest you to read the The OAuth 2.0 Authorization Framework from the Internet Engineering Task Force. It's maybe not the most beautiful documentation but it's by far one of the most complete and accurate.

Here's the basic protocol flow:

  +--------+                                           +---------------+
  |        |--(A)------- Authorization Grant --------->|               |
  |        |                                           |               |
  |        |<-(B)----------- Access Token -------------|               |
  |        |               & Refresh Token             |               |
  |        |                                           |               |
  |        |                            +----------+   |               |
  |        |--(C)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(D)- Protected Resource --| Resource |   | Authorization |
  | Client |                            |  Server  |   |     Server    |
  |        |--(E)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(F)- Invalid Token Error -|          |   |               |
  |        |                            +----------+   |               |
  |        |                                           |               |
  |        |--(G)----------- Refresh Token ----------->|               |
  |        |                                           |               |
  |        |<-(H)----------- Access Token -------------|               |
  +--------+           & Optional Refresh Token        +---------------+

And what about 2.1 🧐

OAuth 2.1 is an in-progress effort to consolidate and simplify the most commonly used features of OAuth 2.0. You can go here for more details.

But the main changes are the following:

  • The authorization code grant is extended with the functionality from PKCE (Proof-Key for Code Exchange)

  • Redirect URIs must be compared using exact string matching

  • The Implicit grant (response_type=token) is omitted

  • The Resource Owner Password Credentials grant is omitted

  • Bearer token usage omits the use of bearer tokens in the query string of URIs

  • Refresh tokens for public clients must either be sender-constrained or one-time use

How to use this repository

This API provides endpoints to test OAuth flow all by yourself without any front-end. The limit however is that as there is no front-end application you need to do some more steps by yourself in order to make it work. Of course in a production ready application it would'nt have been done this way.

Register a new user

  1. Using user credentials:

You can register a new user in two ways, first you can use the POST /auth/register route to register a user by sending an email

  1. Using a third party provider

For a third party provider, the register process is the same that an authentication.

Authenticate

  1. With grant_type="password"

⚠️ As the 2.1 standard specifies, using the password must be avoided as much as possible

Request POST /auth/authenticate with the right email and the right password and you will be granted an access/refresh tokens duet.

  1. With grant_type="refresh_token"

Request POST /auth/authenticate with the refresh_token you stored from your last authentication request and you will be granted a new access/refresh tokens duet.

  1. With grant_type="authorization_code"

The authorization code allows you to register using a code provided by a third party solution (like Google or Github). In this example we use the provided code to access you public data on these providers api and then create an access/refresh tokens duet.

Using Google:

ℹ️ You can find the documentation for Google Api using OAuth here

⚠️ Don't forget to set your own code_challenge generated earlier in the url

  • Step 3: After connecting with your credentials you will be redirected to the GET /helpers/callback with your authorization code.

  • Step 4: Request POST /auth/authenticate with the right grant_type, the code you just received, and also the code_verifier and you should get a access/refresh tokens duet as response.

⚠️ It's mandatory to use the code_verifier used to encrypt the code_challenge otherwise it cannot work.

Using Github:

ℹ️ As Github does not support PKCE you can ignore code_verifier and code_challenge

Access ressources

To access restricted data, just set the authorization header as a "Bearer" token corresponding to your refresh_token

Try it


You can found the documentation here 👈

or even try it yourself with this postman library:

Run In Postman

About

OAuth 2.1 integration with fastify API

Topics

oauth2 api-rest third-party pkce fastify pkce-flow pkce-oauth

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v2.0.0 Latest
Apr 25, 2024

Contributors 2

  •  
  •  

Languages