Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Oauth 2-legged strategy for passport
Branch: master

Merge pull request #8 from AusIV/master

Use req.originalUrl when available
latest commit 3cd5be4df4
@camme authored
Failed to load latest commit information.
example added readme
lib Use req.originalUrl when available
.gitignore added example
LICENSE Import bump version to deploy to npm
package.json correct package.json

Oauth 2-legged strategy for passport

This oauth strategy is used for a 2-legged scenario (even called 0-legged). Its a consumer to server authentication where each request is signed as defined in oauth but an empty access_token is used. No user data is exposed, as it is the consumer that has access to the protected resource.

It works as but skips the access_token verification step and accepts empty access_tokens.

The cose base is 98% but adapted for the 2-legged scenario. So thanks jaredhanson for all work!.

To see how it works, you can run the example. Its quite easy to set up:

Create a server with a secure endpoint

First install all needed dependecies for this example:

npm install express passport passport-http-2legged-oauth

Now create a file called server.js with the following:

var express = require('express');
var app = express();
var passport = require('passport');
var twoLeggedStrategy = require('passport-http-2legged-oauth').Strategy;

Initialize passport and start the http server

// This is standard passport

// And here we start the http server

Now we add a public route and a private route

// We add a route that is open
app.get("/", function(req, res) {
    res.setHeader("content-type", "text/html");
    res.send("Hi. Try <a href='/private'>/private</a> for a private endpoint.");

// And we add a secure route. Add the security and that we arent using any sessions (no point in 2-legged)
app.get("/private", [passport.authenticate('oauth', {session: false}), function(req, res) {
    res.send({secret: true});

Define a list of apps with keys and secrets. This would normaly be saved in a database, but for the sake of simplicity, we just have an object in this example

var appList = {
    "111111": {
        secret: "xxx"

Register our two legged strategy with passport with the two callbacks needed. One for checking if we can find the correct user/app by key The other to check if the timestamp is ok, ie the request isnt too old

passport.use(new twoLeggedStrategy(checkAppKey, checkTimestampAndNonce));

// A function to find the app by key. If we find it, we return the secret used to 
// check if the request is valid
function findApp(key, next) {
    var consumer = appList[key];
    if (consumer) {
        next(null, {secret: consumer.secret});
    } else {

// Check if the key is valid and get the secret
function checkAppKey(consumerKey, done) {
    findApp(consumerKey, function(err, consumer) {
        if (err) { return done(err); }
        if (!consumer) { return done(null, false); }

        console.log("Found an app with the suplied key '%s'", consumerKey);

        return done(null, consumer, consumer.secret);

// Check if the timestamp is ok (and nonce, but we dont check nonce in this example)
function checkTimestampAndNonce(timestamp, nonce, app, req, done) {

    var timeDelta = Math.round((new Date()).getTime() / 1000) - timestamp;

    // Here we check if the request is too old.. If its too old, return false
    if (timeDelta >= 10) {
        done(null, false);
    else {
        done(null, true);


Create a simple client

Install oauth first

npm install oauth

Then create a file called client.js

Get the required module for oauth

var oauth = require("oauth");

Define the key and secret for your app

var key = "111111";
var secret = "xxx";

Create the oauth client. Set null for the first two arguments since we dont have endpoints for getting tokens etc (for 3-legged)

var request = new oauth.OAuth(null, null, key, secret, '1.0', null, 'HMAC-SHA1');

And now do the actuall request to the private endpoint

request.get("http://localhost:1337/private", null, null, function(err, data, res) {
    if (err) {
        console.error("Err", err);
    } else {
        console.log("Success", data);

If everything goes well, you should get a success message! You can download the complete sourcecode for this example in the /example folder

Something went wrong with that request. Please try again.