Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth 2.0 : Can't provide none user data to callback #60

Open
axellebot opened this issue Jan 6, 2019 · 3 comments
Open

OAuth 2.0 : Can't provide none user data to callback #60

axellebot opened this issue Jan 6, 2019 · 3 comments

Comments

@axellebot
Copy link

axellebot commented Jan 6, 2019
edited
Loading

Hey !

According to OAuth2.0 RFC we can use "access token" to authenticate a client with grant_type="client_credentials"
But passport-http-bearer is only compatible with user authentication.

Expected behavior

  • Can provide non user data in callback
  • Can provide client data in callback

Actual behavior

  • Can only provide user data in callback and it can't be set to null
  • Cannot provide client data in callback

Exemple

passport.use(new BearerStrategy(async (token, done) => {
  try {
    console.log("Authenticate Bearer",token);
    var accessToken = await db.oauthAccessTokens.findOne({
        token: token
      })
      .populate('user')
      .populate('client');

    
    if (!accessToken) throw new TokenAuthenticationError();
    console.log("accessToken",accessToken);
    if (accessToken.expires && Date.now() > accessToken.expires) throw new TokenExpiredError();
    
    var scopes = [];

    // Only authenticate USER HERE
    if(accessToken.user){
       Array.prototype.push.apply(scopes,await accessToken.user.getScopes());
       return done(null,true , {
         scopes: scopes,
       });
    }

    // Only authenticate CLIENT HERE
    if(accessToken.client) Array.prototype.push.apply(scopes,await accessToken.client.scopes);
    return done(null,null , {
         scopes: scopes,
         client: client,
    }); // "Unauthorized" because user field is set to null
    
  } catch (err) {
    done(err);
  }
}));
@axellebot axellebot changed the title OAuth 2.0 : Can't provide client data OAuth 2.0 : Can't provide none user data to callback Jan 6, 2019
@mk-pmb
Copy link

mk-pmb commented Jan 7, 2019

Thanks for reporting! Totally off-topic: Is there a special reason why you call the Array methods that verbosely? Also if you have error messages related to the Actual behavior please add them, to help search engines find this issue.

@axellebot
Copy link
Author

axellebot commented Jan 8, 2019
edited
Loading

Thanks for reporting! Totally off-topic: Is there a special reason why you call the Array methods that verbosely? Also if you have error messages related to the Actual behavior please add them, to help search engines find this issue.

I'm using Array.push.apply(arr1,arr2) (according to : developer.mozilla) because using arr1.push.apply(arr1,arr2) can be misunderstood.

I'm waiting for acknowledgement from the creator or other cause I want to be sure before adding this behavior and I don't know how to add this behavior without breaking current behaviors ...

Because I want to implement it the way we can use done() callback as it :

// With user (without client)
done(null,user ,null {
         scopes: scopes
         });

// With client (without user)
done(null,null , client {
         scopes: scopes
         });

@dmitrizagidulin
Copy link

@axellebot +1, fwiw I think this is a great feature to add. (I'm also using this strategy solely for client_credentials type grants.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmitrizagidulin @mk-pmb @axellebot