How to create a correct user authentication flow

[slavab89]

So after creating a working example for this i now need to start working with it :) The question is what is the correct flow.

My architecture is going to be something like the following: https://dglozic.files.wordpress.com/2014/10/micro-authentication.png Meaning that i'll have a web application that's running on some nodeJS server, and i'll have this project on a different server that should take care of user authentications (and later on services)

So how will it work? Say i'm going into my site for the first time. Obviously i dont have an access token (as a user). So i click on the login button. Now there are 2 options:

1. i immediately show a username and password page. Once i enter that info, a grant_type=password request will be send with a client_id and client_secret of the nodejs server that the web application runs on
2. I send a response_type=code request, and because i dont have any additional authorization header i will not be redirected to the redirect_url, instead i'll be redirected to a login page that's hosted on... (the web application server??) It will ask me to enter a username and password triggering grant_type=password request that will get me the access_token and send the response_type=code request again (?!) and continue with grant_type=authorization_code to get the access token that i already have?!

Option 2 seems to be impossible and incorrect but then i dont see when i will need to use the response_type=code request.

I might be totally off in my thinking and i will really be glad if someone could straighten things up for me.

[ngoyal16]

I am trying to creating an oauth2 driven web API using node-oauth2-server can you help me in implementing it

[slavab89]

@ngoyal16 What do you need? The example i have here is a complete working one using the node-oauth2-server with mongoose (mongodb) DB...

[ngoyal16]

@slavab89 it is not having login authorize pages.. to get the the user acess the client application have to pass the username and password of the user..

[ngoyal16]

nitingoyal95@live.com is my skype id..

[slavab89]

No it does not have authentication pages. OAuth2 is just for authorization, not for authentication. If you dont have any of them then you can try to go for OpenID Connect (That's what i did in the end) that combines both oauth2 and openid (authorization & authentication) in 1 service giving you everything you need

[ngoyal16]

i want to create my own oauth service. so that i can integrate other application can use it to login and user can authorize them to access the profile.. like facebook login, google login.

[slavab89]

You can use something like https://github.com/panva/node-oidc-provider then It is basically a server for OpenId Connect that has login + authorization.

The person who wrote it also has a client that integrated with it from the other side https://github.com/panva/node-openid-client

See his examples and working page on how to set this up.

I've ended up using it because it provides authentication (login) & authorization - same flow when you login to google

[ngoyal16]

I want to setup own oAuth system like google OAuth and facebook OAuth... where a user can also authorize the application. the open id is provided the feature to integrate multiple OAuth services to the single point. but this is not my requirement.

[ngoyal16]

like this https://github.com/mekentosj/oauth2-example/tree/master/views

[slavab89]

First of all, i think you can ask it as a general question on stackoverflow or something. Secondly, the example that you showed me implement the oauth2-server with a session management. So if i understood your correctly, you might want to use the authenticateHandler that i've left kinda open and not used to get the user out of the session. If there is no user at the session then you will want to do a redirect to a login page. Once the login is done, you want to go back and do the authorization again. If you're asking where to put the views (pages) then the authorization page you put before you call the authorize (If the user is logged in) and the login page you call if there is no user at the session.

You might want to check those issues out cause they explain a bit more how the flow should work https://github.com/oauthjs/node-oauth2-server/issues/264 https://github.com/oauthjs/node-oauth2-server/issues/314

[ngoyal16]

i clone repo to my server but i am getting error..... invalid_token: Invalid token: access token is invalid

it is not allowing to run any other grant_type so i am not able to to get the access_token as well