Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to create a correct user authentication flow #1

Open
slavab89 opened this issue Mar 8, 2017 · 11 comments
Open

How to create a correct user authentication flow #1

slavab89 opened this issue Mar 8, 2017 · 11 comments

Comments

@slavab89
Copy link
Owner

slavab89 commented Mar 8, 2017

So after creating a working example for this i now need to start working with it :)
The question is what is the correct flow.

My architecture is going to be something like the following:
https://dglozic.files.wordpress.com/2014/10/micro-authentication.png
Meaning that i'll have a web application that's running on some nodeJS server, and i'll have this project on a different server that should take care of user authentications (and later on services)

So how will it work? Say i'm going into my site for the first time. Obviously i dont have an access token (as a user). So i click on the login button. Now there are 2 options:

  1. i immediately show a username and password page.
    Once i enter that info, a grant_type=password request will be send with a client_id and client_secret of the nodejs server that the web application runs on
  2. I send a response_type=code request, and because i dont have any additional authorization header i will not be redirected to the redirect_url, instead i'll be redirected to a login page that's hosted on... (the web application server??)
    It will ask me to enter a username and password triggering grant_type=password request that will get me the access_token and send the response_type=code request again (?!) and continue with grant_type=authorization_code to get the access token that i already have?!

Option 2 seems to be impossible and incorrect but then i dont see when i will need to use the response_type=code request.

I might be totally off in my thinking and i will really be glad if someone could straighten things up for me.
@ngoyal16
Copy link

ngoyal16 commented Mar 19, 2017
edited
Loading

I am trying to creating an oauth2 driven web API using node-oauth2-server
can you help me in implementing it

@slavab89
Copy link
Owner Author

@ngoyal16 What do you need?
The example i have here is a complete working one using the node-oauth2-server with mongoose (mongodb) DB...

@ngoyal16
Copy link

@slavab89 it is not having login authorize pages.. to get the the user acess the client application have to pass the username and password of the user..

@ngoyal16
Copy link

nitingoyal95@live.com is my skype id..

@slavab89
Copy link
Owner Author

No it does not have authentication pages.
OAuth2 is just for authorization, not for authentication. If you dont have any of them then you can try to go for OpenID Connect (That's what i did in the end) that combines both oauth2 and openid (authorization & authentication) in 1 service giving you everything you need

@ngoyal16
Copy link

i want to create my own oauth service. so that i can integrate other application can use it to login and user can authorize them to access the profile.. like facebook login, google login.

@slavab89
Copy link
Owner Author

You can use something like https://github.com/panva/node-oidc-provider then
It is basically a server for OpenId Connect that has login + authorization.

The person who wrote it also has a client that integrated with it from the other side
https://github.com/panva/node-openid-client

See his examples and working page on how to set this up.

I've ended up using it because it provides authentication (login) & authorization - same flow when you login to google

@ngoyal16
Copy link

I want to setup own oAuth system like google OAuth and facebook OAuth... where a user can also authorize the application. the open id is provided the feature to integrate multiple OAuth services to the single point. but this is not my requirement.

@ngoyal16
Copy link

like this https://github.com/mekentosj/oauth2-example/tree/master/views

@slavab89
Copy link
Owner Author

First of all, i think you can ask it as a general question on stackoverflow or something.
Secondly, the example that you showed me implement the oauth2-server with a session management.
So if i understood your correctly, you might want to use the authenticateHandler that i've left kinda open and not used to get the user out of the session. If there is no user at the session then you will want to do a redirect to a login page.
Once the login is done, you want to go back and do the authorization again.
If you're asking where to put the views (pages) then the authorization page you put before you call the authorize (If the user is logged in) and the login page you call if there is no user at the session.

You might want to check those issues out cause they explain a bit more how the flow should work
oauthjs/node-oauth2-server#264
oauthjs/node-oauth2-server#314

@ngoyal16
Copy link

ngoyal16 commented Mar 23, 2017
edited
Loading

i clone repo to my server but i am getting error.....
invalid_token: Invalid token: access token is invalid

it is not allowing to run any other grant_type so i am not able to to get the access_token as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ngoyal16 @slavab89