No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


OAuth 2.0 public client authentication strategy for Passport.

This module lets you identify requests containing a client_id in the request body, as defined by the OAuth 2.0 specification. This approach is typically used as an alternative when HTTP Basic authentication because the client was not issued any credentials on registration (most likely because it is in a category of clients that are not able to reliably keep their secrets).


$ npm install passport-oauth2-public-client


Configure Strategy

The OAuth 2.0 public client "authentication" strategy identifies clients using only a claimed client ID. The strategy requires a verifyPublic callback, which accepts that ID and calls done providing a client.

passport.use(new PublicClientStrategy(
  function(clientId, done) {
    Clients.findOne({ clientId: clientId }, function (err, client) {
      if (err) { return done(err); }
      if (!client) { return done(null, false); }
      // Client was issued credentials, and must authenticate with them
      if (client.clientSecret) { return done(null, false); }
      return done(null, client);

Authenticate Requests

Use passport.authenticate(), specifying the 'oauth2-public-client' strategy, to "authenticate" requests. This strategy is typically used in combination with HTTP Basic authentication (as provided by passport-http) and OAuth2 Client Password (as provided by passport-oauth2-client-password), allowing clients without credentials to exchange authorization codes for access tokens.

For example, as route middleware in an Express application, using OAuth2orize middleware to implement the token endpoint:'/oauth/token', 
  passport.authenticate(['basic', 'oauth2-client-password', 'oauth2-public-client'], { session: false }),


$ npm install --dev
$ make test

Build Status



The MIT License

Copyright (c) 2012-2013 Jared Hanson <> Copyright (c) 2013 Tim Shadel <>