This page contains example code for the express-oauth-server. I have yet only implemented functions and curl-requests for:
- password grants
- client credential grants
- refresh token grants.
You will find the code under ./examples folder. There's currently code for a memory model. I hope you will find it useful to help understand the oauth2 protocol and last but not least, the express-oauth-server wrapper module.
- 1 - Installation
- 2 - Curl-requests for express-oauth-server
- 3 - Access resources
- 3.1 - Access protected resource
- 3.2 - Access public resource
- 4 - Documentations used for this guide
- 5 - APPENDIX
Simply run npm i and after the installation is finished npm run dev-memory.
This section goes through curl requests for interacting with the oauth server.
This first part sends the requests with the client credentials in the request body.
2.1.1 Get access token via password grant [2]:
curl http://localhost:3000/oauth/token -d "grant_type=password" -d "username=freddbull" -d "password=password" -d "client_id=application" -d "client_secret=secret" -H "Content-Type: application/x-www-form-urlencoded"{"access_token":"bdde83d3562ecc751f618a4bec0e30048bc51275","token_type":"Bearer","expires_in":3599,"refresh_token":"fbc456bb5fa4233b2601913e9d989deeb235b13f"}2.1.2 Get access token via refresh token grant [3]:
You have to change the refresh token below to the one you got from section 2.1.1.
Example:"refresh_token=<your refresh token goes here>"
curl http://localhost:3000/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=application" -d "client_secret=secret" -d "grant_type=refresh_token" -d "refresh_token=fbc456bb5fa4233b2601913e9d989deeb235b13f"{"access_token":"dc64ad729e7fc2d10a34b845fe28ccc103163af6","token_type":"Bearer","expires_in":3599,"refresh_token":"8ee8dd5aec0365909d01db3c6106e17e88bd87c8"}2.1.3. Get access token via client credential grant [4]:
curl http://localhost:3000/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=application" -d "client_secret=secret"Client credential grant SHOULD NOT return a refresh_token [4].
{"access_token":"cd3675c962a5a4e49a50155fbb4eb06fef02a52f","token_type":"Bearer","expires_in":3599}This part sends the curl requests with the client credentials in the request header encoded using base64-encoding [5].
application:secret = YXBwbGljYXRpb246c2VjcmV0 =>
=> "Authorization: Basic YXBwbGljYXRpb246c2VjcmV0"
Add "Authorization: Basic YXBwbGljYXRpb246c2VjcmV0" to the request header.
Search on for "online base64 converter" and try it yourself; don't forget the semicolon!
2.2.1. Get access token via password grant [2]:
curl http://localhost:3000/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic YXBwbGljYXRpb246c2VjcmV0" -d "grant_type=password" -d "username=freddbull" -d "password=password"{"access_token":"bdde83d3562ecc751f618a4bec0e30048bc51275","token_type":"Bearer","expires_in":3599,"refresh_token":"fbc456bb5fa4233b2601913e9d989deeb235b13f"}2.2.2. Get access token via refresh token grant [3]:
You have to change the refresh token below to the one you got from request 2.2.1.
Example:"refresh_token=<your refresh token goes here>".
curl http://localhost:3000/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic YXBwbGljYXRpb246c2VjcmV0" -d "grant_type=refresh_token" -d "refresh_token=fbc456bb5fa4233b2601913e9d989deeb235b13f{"access_token":"489121b45987bee9936b4f8b407ea0228a1e1e38","token_type":"Bearer","expires_in":3599,"refresh_token":"1f6d1655b3315a7f425f51412319fc2d1a113c29"}2.2.3. Get access token via client credential grant [4]:
curl http://localhost:3000/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic YXBwbGljYXRpb246c2VjcmV0" -d "grant_type=client_credentials"Client credential grant SHOULD NOT return a refresh_token [4].
{"access_token":"2dce15e228e4abe76c18b70b1ba87a2ca492b2c7","token_type":"Bearer","expires_in":3599}3.1 - Access protected resource [6]:
You have to change the access/bearer token below to the one you got from one of the requests above.
Example:"Authorization: Bearer <your access/bearer token goes here>".
curl http://localhost:3000/secret -H "Authorization: Bearer cd3675c962a5a4e49a50155fbb4eb06fef02a52f"Secret areacurl http://localhost:3000Public area[1] The OAuth 2.0 Authorization Framework
[2] Resource Owner Password Credentials Grant
[3] Refreshing an Access Token
[5] HTTP Authentication: Basic and Digest Access Authentication
[6] Accessing Protected Resources
[7] Curl man page
curl [options] [URL...]-H: adds extra header to the request.
Example: -H "Authorization: Basic YXBwbGljYXRpb246c2VjcmV0"
-d: adds data to the request body and therefore issues a post-request.
Example: -d "client_id=application"
For more information about curl please search the man pages [7].