Package of distributed client and server OAuth2 API's
Under development!!! By far not stable yet!!!
- Implement more tests, check latest OAuth2 draft and compare to current implementation
- Add more documentation
- Add example(s)
- Add OpenId connect implementation
What is Authpack?
Authpack is an open-source project that uses User Agents (i.e. browsers), node.js and Open Source Packages to implement the OAuth 2.0 Authorization Protocol as defined by the IETF. Later also OpenID Connect will be added.
How does it work?
Where can I run Authpack?
Authpack can be used as Authentication and Authorization building block for client and server applications.
Get Authpack from NPM with:
npm install authpack
Or get Authpack from GitHub and then install the start scripts and all needed packages with:
git clone git://github.com/stolsma/authpack.git cd authpack npm install
Authpack user documentation is still very much a work in progress. We'll be actively updating the documentation in the upcoming months to make it easier to get acclimated with
To be added
To be expanded
OAuth2 Authorization-server events
The OAuth2 Authorization-server emits events when it requires information from 'plugins'. The following events are emitted:
Before showing authorization page, make sure the user is logged in. If not request login with given callback url.
This function is called when the OAuth2 core wants to know if this user is already logged in and if so what its
user_id is. If not logged in the users needs to get a login page and after login needs to return to
resume the current client OAuth2 authorization flow.
- next`: function(user_id, authorize_url)
Check with the authorization service that the given scopes are authorized for the given client_id. If not all scopes are authorized,
the resource owner gets a authorization page that returns to
cb_url to resume the current client OAuth2 authorization flow.
cb_url: URL to be called to get back to this function
options: The cleaned Authorization endpoint parameters
next: Function to execute if all given scopes are authorized or if the resource owner allows a selection of scopes. Must be called with a string of authorized scopes as argument.
Generate grant code for the given user and client. This event is emitted when the core OAuth2 code wants a grant to be saved for later retrieval using the
lookupGrant function and administrative use.
options: The cleaned parameters that can be used to create a code grant
refreshType: If the requested code is a code type then false. If refresh type then true.
next: Function to execute next. Called with
Find the user_id, client_id, scope for a particular code grant given to a client. This function is called when the client tries to swap a code/refresh_token grant for an access token.
next: Function to callback. Call with
errif something went wrong,
useruser id who authorized this grant
Generate an access token from the given parameters
options: Checked OAuth2 request options. user_id, client_id are used by this function
next: Function to execute when ready with err, access_token, token_type and expires_in as arguments
Retrieve the client data object with the given client id
id: The id of the client who's data object needs to be retrieved
next: Callback function called with err and retrieved client data object
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.