NodeJS OAuth2 Example
git clone git://github.com/coolaj86/node-oauth2-examples.git pushd node-oauth2-examples npm install -g grunt-cli npm install
There are two servers:
For running this demo on
localhost you should edit
/etc/hosts and use something like
consumer.example.net as aliases of
Currently there's a bug that I don't understand that prevents the demo from working on localhost.
pushd bookface-provider/ npm install grunt build popd node bookface-provider/bin/provider
pushd blogthing-consumer/ npm install grunt build popd node blogthing-consumer/bin/consumer
Demo (runs both)
A provider is a service like facebook, twitter, google+, or github that handles the details of authentication.
The consumer is a service such as Disqus, Spotify, EverNote, BlissControl, IfThisThenThat, or Calepin
The demo consumer will ask the provider to log you in.
If you have already logged in to the provider you don't need to login again,
instead you will be directly taken to the
The provider is an application platform such as Facebook, Google, and Twitter.
The consumer is an application registered with the platform such as StackOverflow or TweetDeck.
- The authorize is usually something like
- The access_token is usually something like
scope is arbitrary data. For example you might allow other apps to access things like
- email address
In which case you might publish your API in such a way that when you have a request where
encodeURI the string
["email","contacts","birthday"] and then present a user interface
telling the user that the application wants access to their email address, contacts, and birthday.
If the app needs access to more permissions in the future it might make another request with a larger scope.
client_id (and secret)
You should have some registration process by which you give the application an
id and a
client_id will be sent in the clear and is the id you need to look up in your database.
The secret is handled by the
oauth library for cookies or something like that.
This will be
web_server for all web servers.
If you were writing an android app it would probably be something different.
This is the uri to which the
code to the
This logic should be handled by the
strategy, but leave the storage abstraction up to you.
There is an additional callback provided by the
strategy which your app should respond to.
Don't get the two mixed up. :-D
This is the query parameter used as the provider responds to the request for an access token.
Dipping into auth_middleware Dipping into requestMethods Dipping into strategyExecutor Dipping into foostrategy