{"id":13459180,"url":"https://github.com/jaredhanson/oauth2orize","last_synced_at":"2025-05-12T15:25:44.747Z","repository":{"id":3873939,"uuid":"4960119","full_name":"jaredhanson/oauth2orize","owner":"jaredhanson","description":"OAuth 2.0 authorization server toolkit for Node.js.","archived":false,"fork":false,"pushed_at":"2024-04-12T12:46:09.000Z","size":607,"stargazers_count":3494,"open_issues_count":75,"forks_count":469,"subscribers_count":100,"default_branch":"master","last_synced_at":"2025-05-09T05:04:51.997Z","etag":null,"topics":["express","oauth2","oauth2orize"],"latest_commit_sha":null,"homepage":"https://www.oauth2orize.org?utm_source=github\u0026utm_medium=referral\u0026utm_campaign=oauth2orize","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jaredhanson.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"jaredhanson","patreon":"jaredhanson","ko_fi":"jaredhanson"}},"created_at":"2012-07-09T15:26:52.000Z","updated_at":"2025-05-07T08:56:53.000Z","dependencies_parsed_at":"2023-10-14T20:56:48.627Z","dependency_job_id":"aa9b3c9f-3133-4c56-a9a6-cd1f77a1d8c7","html_url":"https://github.com/jaredhanson/oauth2orize","commit_stats":{"total_commits":435,"total_committers":24,"mean_commits":18.125,"dds":0.09885057471264369,"last_synced_commit":"1ffdd85feea087e478e748e1d59f7e7821853cfb"},"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaredhanson%2Foauth2orize","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaredhanson%2Foauth2orize/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaredhanson%2Foauth2orize/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jaredhanson%2Foauth2orize/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jaredhanson","download_url":"https://codeload.github.com/jaredhanson/oauth2orize/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253729914,"owners_count":21954718,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["express","oauth2","oauth2orize"],"created_at":"2024-07-31T09:01:08.821Z","updated_at":"2025-05-12T15:25:44.720Z","avatar_url":"https://github.com/jaredhanson.png","language":"JavaScript","readme":"# OAuth2orize\n\nOAuth2orize is an authorization server toolkit for Node.js.  It provides a suite\nof middleware that, combined with [Passport](http://passportjs.org/)\nauthentication strategies and application-specific route handlers, can be used\nto assemble a server that implements the [OAuth 2.0](http://tools.ietf.org/html/rfc6749)\nprotocol.\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003csup\u003eAdvertisement\u003c/sup\u003e\n  \u003cbr\u003e\n  \u003ca href=\"https://click.linksynergy.com/link?id=D*o7yui4/NM\u0026offerid=507388.2609434\u0026type=2\u0026murl=https%3A%2F%2Fwww.udemy.com%2Fcourse%2Fnodejs-api-masterclass%2F\u0026u1=1dw6XBtZ1Bjyy0RnxCUfjjzEScDBrpTKcXAa9\"\u003eNode.js API Masterclass With Express \u0026 MongoDB\u003c/a\u003e\u003cbr\u003eCreate a real world backend for a bootcamp directory app\n\u003c/p\u003e\n\n---\n\nStatus:\n[![Build](https://img.shields.io/travis/jaredhanson/oauth2orize.svg)](https://travis-ci.org/jaredhanson/oauth2orize)\n[![Coverage](https://img.shields.io/coveralls/jaredhanson/oauth2orize.svg)](https://coveralls.io/r/jaredhanson/oauth2orize)\n[![Dependencies](https://img.shields.io/david/jaredhanson/oauth2orize.svg)](https://david-dm.org/jaredhanson/oauth2orize)\n\n\n## Install\n\n    $ npm install oauth2orize\n\n## Usage\n\nOAuth 2.0 defines an authorization framework, allowing an extensible set of\nauthorization grants to be exchanged for access tokens.  Implementations are\nfree to choose what grant types to support, by using bundled middleware to\nsupport common types or plugins to support extension types.\n\n#### Create an OAuth Server\n\nCall `createServer()` to create a new OAuth 2.0 server.  This instance exposes\nmiddleware that will be mounted in routes, as well as configuration options.\n\n```javascript\nvar server = oauth2orize.createServer();\n```\n\n#### Register Grants\n\nA client must obtain permission from a user before it is issued an access token.\nThis permission is known as a grant, the most common type of which is an\nauthorization code.\n```javascript\nserver.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, done) {\n  var code = utils.uid(16);\n\n  var ac = new AuthorizationCode(code, client.id, redirectURI, user.id, ares.scope);\n  ac.save(function(err) {\n    if (err) { return done(err); }\n    return done(null, code);\n  });\n}));\n```\n\nOAuth2orize also bundles support for implicit token grants.\n\n#### Register Exchanges\n\nAfter a client has obtained an authorization grant from the user, that grant can\nbe exchanged for an access token.\n\n```javascript\nserver.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) {\n  AuthorizationCode.findOne(code, function(err, code) {\n    if (err) { return done(err); }\n    if (client.id !== code.clientId) { return done(null, false); }\n    if (redirectURI !== code.redirectUri) { return done(null, false); }\n\n    var token = utils.uid(256);\n    var at = new AccessToken(token, code.userId, code.clientId, code.scope);\n    at.save(function(err) {\n      if (err) { return done(err); }\n      return done(null, token);\n    });\n  });\n}));\n```\n\nOAuth2orize also bundles support for password and client credential grants.\nAdditionally, bundled refresh token support allows expired access tokens to be\nrenewed.\n\n#### Implement Authorization Endpoint\n\nWhen a client requests authorization, it will redirect the user to an\nauthorization endpoint.  The server must authenticate the user and obtain\ntheir permission.\n\n```javascript\napp.get('/dialog/authorize',\n  login.ensureLoggedIn(),\n  server.authorize(function(clientID, redirectURI, done) {\n    Clients.findOne(clientID, function(err, client) {\n      if (err) { return done(err); }\n      if (!client) { return done(null, false); }\n      if (client.redirectUri != redirectURI) { return done(null, false); }\n      return done(null, client, client.redirectURI);\n    });\n  }),\n  function(req, res) {\n    res.render('dialog', { transactionID: req.oauth2.transactionID,\n                           user: req.user, client: req.oauth2.client });\n  });\n```\n\nIn this example, [connect-ensure-login](https://github.com/jaredhanson/connect-ensure-login)\nmiddleware is being used to make sure a user is authenticated before\nauthorization proceeds.  At that point, the application renders a dialog\nasking the user to grant access.  The resulting form submission is processed\nusing `decision` middleware.\n\n```javascript\napp.post('/dialog/authorize/decision',\n   login.ensureLoggedIn(),\n   server.decision());\n```\n       \nBased on the grant type requested by the client, the appropriate grant\nmodule registered above will be invoked to issue an authorization code.\n\n#### Session Serialization\n\nObtaining the user's authorization involves multiple request/response pairs.\nDuring this time, an OAuth 2.0 transaction will be serialized to the session.\nClient serialization functions are registered to customize this process, which\nwill typically be as simple as serializing the client ID, and finding the client\nby ID when deserializing.\n\n```javascript\nserver.serializeClient(function(client, done) {\n  return done(null, client.id);\n});\n\nserver.deserializeClient(function(id, done) {\n  Clients.findOne(id, function(err, client) {\n    if (err) { return done(err); }\n    return done(null, client);\n  });\n});\n```\n\n#### Implement Token Endpoint\n\nOnce a user has approved access, the authorization grant can be exchanged by the\nclient for an access token.\n\n```javascript\napp.post('/token',\n  passport.authenticate(['basic', 'oauth2-client-password'], { session: false }),\n  server.token(),\n  server.errorHandler());\n```\n\n[Passport](http://passportjs.org/) strategies are used to authenticate the\nclient, in this case using either an HTTP Basic authentication header (as\nprovided by [passport-http](https://github.com/jaredhanson/passport-http)) or\nclient credentials in the request body (as provided by \n[passport-oauth2-client-password](https://github.com/jaredhanson/passport-oauth2-client-password)).\n\nBased on the grant type issued to the client, the appropriate exchange module\nregistered above will be invoked to issue an access token.  If an error occurs,\n`errorHandler` middleware will format an error response.\n\n#### Implement API Endpoints\n\nOnce an access token has been issued, a client will use it to make API requests\non behalf of the user.\n```javascript\napp.get('/api/userinfo', \n  passport.authenticate('bearer', { session: false }),\n  function(req, res) {\n    res.json(req.user);\n  });\n```\n\nIn this example, bearer tokens are issued, which are then authenticated using\nan HTTP Bearer authentication header (as provided by [passport-http-bearer](https://github.com/jaredhanson/passport-http-bearer))\n\n## Examples\n\nThis [example](https://github.com/gerges-beshay/oauth2orize-examples) demonstrates\nhow to implement an OAuth service provider, complete with protected API access.\n\n## Related Modules\n\n- [oauth2orize-openid](https://github.com/jaredhanson/oauth2orize-openid) — Extensions to support OpenID Connect\n- [oauth2orize-jwt-bearer](https://github.com/xtuple/oauth2orize-jwt-bearer) — Exchange JWT assertions for access tokens\n- [passport-http-bearer](https://github.com/jaredhanson/passport-http-bearer) — Bearer token authentication strategy for APIs\n\n## Debugging\n\noauth2orize uses the [debug module](https://www.npmjs.org/package/debug).  You can enable debugging messages on the console by doing ```export DEBUG=oauth2orize``` before running your application.\n\n## License\n\n[The MIT License](http://opensource.org/licenses/MIT)\n\nCopyright (c) 2012-2021 Jared Hanson \u003c[https://www.jaredhanson.me/](https://www.jaredhanson.me/)\u003e\n","funding_links":["https://github.com/sponsors/jaredhanson","https://patreon.com/jaredhanson","https://ko-fi.com/jaredhanson"],"categories":["JavaScript","Web 后端","express","Implementations(Examples/Demos)","Authentication and Authorization"],"sub_categories":["Invalidating JWT"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjaredhanson%2Foauth2orize","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjaredhanson%2Foauth2orize","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjaredhanson%2Foauth2orize/lists"}