I have been reviewing authentication & authorizations solutions for my AngularJS application, which talks to the server through a REST API. I found two interesting candidates:
Passport has a great design and really clean API, nice work! Unfortunately, it does not provide a good user experience as it relies on client-side redirection for performing authentication with external providers.
Why not use the best of both worlds, Satellizer for client-side authentication and Passport for backend token exchange and API requests authorization? Because Passport needs to be decoupled from any unnecessary client redirection.
passport.exchange(...) would be responsible to retrieving the auth code from request (using query params or body data), exchange it for an access token and fetch user profile data.
I have been reviewing authentication & authorizations solutions for my AngularJS application, which talks to the server through a REST API. I found two interesting candidates:
Why not use the best of both worlds, Satellizer for client-side authentication and Passport for backend token exchange and API requests authorization? Because Passport needs to be decoupled from any unnecessary client redirection.
I believe that the effort to refactor Passport and keep backwards compatibility would be minimal. Decoupling Passport from the client would allow nice integration with 3rd-party libraries (see an example below) as requested by some other users (https://github.com/jaredhanson/passport/issues/334, https://github.com/jaredhanson/passport/issues/318, https://github.com/jaredhanson/passport/issues/336, ...).
Satellizer and Passport integration?
After digging into the source source, I found that
passport-oauth2
expects auth code to be present as a query param in the callback URL (https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js#L140):Satellizer can call the same callback URL but uses POST and body data (https://github.com/sahat/satellizer/blob/master/satellizer.js#L494), which imho is a clean way to delegate access token retrieval by the server.
It would be awesome if this access token exchange logic could be extracted as another Passport middleware, i.e.:
passport.exchange(...)
would be responsible to retrieving the auth code from request (using query params or body data), exchange it for an access token and fetch user profile data.