Looking for a solution to store OAuth 2 access tokens and exchange with client requests

[parky128]

I have recently come across this library which sounds like what I may need for my Express app to securely store access tokens for logged in users from an OAuth 2 server.

I don't want access tokens being returned back to the client, but after a user has successfully logged in and their token been returned from the OAuth 2 server then the token must be used for subsequent requests, set as an Authorization bearer header.

So looking at this library, do I understand correctly that the token can be saved in a store that Express can access, e.g. mongoDB, Redis. And a session cookie can then be used which is then used in subsequent request by the client and used by Express to retrieve from this store?

I'm pretty new to using Express and safely using tokens, so please excuse my ignorance.

I'm just struggling to find any worked examples out there that can give me proper guidance, this library seems to be a potential solution.

Can someone kindly give me some further advise please?

[gabeio]

So looking at this library, do I understand correctly that the token can be saved in a store that Express can access, e.g. mongoDB, Redis. And a session cookie can then be used which is then used in subsequent request by the client and used by Express to retrieve from this store?

Yes, you can store the OAuth2 tokens using this library in redis/mongo/etc. and the "key" given to the user is completely random and meaningless. In addition, you can also have the cookies signed so if they try to change the random value the server knows it didn't give it to them. And finally, we use a large enough random token that it should be a long time before a hacker could guess another valid random token.

Can someone kindly give me some further advise please?

you may also want to look at passport which has OAuth2 support along with a variety of other cross-site-auths. Passport worked with session.

[parky128]

Thanks for the reply, I really appreciate your time.

The flow I think I now need for my application is as follows:

• User submits credentials
• Express handles /login POST request from client in a route handler
  • /login POST handler requests an access token from an OAuth 2 provider
• Access token needs to be stored and an associated cookie (signed) sent back in response to client
• In all further api requests from the client, if cookie is present, corresponding token is retrieved from store server side and used as a bearer token header for ongoing request to separate endpoint.

I already have the first two points working in my setup, we have a separate API server that support sOAuth 2 using the resource owner password credentials grant type requests (I cant see any such Passport strategy for this type) the remaining steps given what you have now said and reading back over the docs, I believe can all be achieved using express-session and a configured stored (mongo, redis, etc) alone.

I don't see what extra benefits Passport would give, I find their docs quite hard to follow!

[gabeio]

passport would handle the oauth for you if you haven't already built it in otherwise just use sessions I was just suggesting alternative routes :smile:. the only other reason why you might want to take a second to try passport would be if you ever planned on using another auth provider like openID or jwt (just for other examples) passport makes it pretty simple to allow any of those to nearly be swap and done... (or at least it looks that simple though I have to agree their docs are kinda hard to find certain things, though since I last looked they are better)

[parky128]

Ok thanks again for your time, much appreciated! :)