Now available at: https://gitlab.com/dpankros/passport-oauth2-resource-owner-password
"The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token." RFC 6749 Oauth2 at p. 37
ResourceOwnerStrategy(options, verify)
options
(optional) - can includepassReqToCallback
- Whether to pass the request object as the first argument of the verify function
verify
(required) - See description below
verify([req], clientId, clientSecret, username, password, verified)
- req(optional) - Only present if
passReqToCallback
was set in the constructor options. The request that started this verfify - clientId - A client id that was provided by the client, if any
- clientSecret - The client secret that was provided by the client, if any
- username - The username that was provided by the client
- password - The password that was provided by the client
- verified - A function of the type
func(error, client, user, info)
- error (Error) - an error object, if an exception occurred
- client (Required) - a client object. If there is no client,
{}
is acceptable - user (Required) - a user object
- info (Optional) - any additional information that should be passed back to the client. Examples include:
created_at
- a timestamp indicating when the token was createdexpires
- a timestamp indicating when the token will expireexpires_in
- a duration in seconds indicating the TTL (time to live) of the token
passport.use(
'oauth2-resource-owner-password',
new ResourceOwnerStrategy(
async (clientId, clientSecret, username, password, done) => {
let client = { id: null, secret: null };
try {
if (clientId) {
client = await getClient(clientId, clientSecret); // fetch the client
if (!client) {
return done(null, null, null);
}
}
const user = await getUser(username);
if (!user) {
return done(null, null, null);
}
const passwordMatches = verifyUserPassword(password, user);
if (!passwordMatches) {
return done(null, null, null);
}
return done(null, client, user);
} catch (err) {
return done(err);
}
},
),
);
"If the authorization server issued a refresh token to the client, the client [may make] a refresh request to the token endpoint" RFC 6749 at p. 43
RefreshTokenStrategy(options, verify)
options
(optional) - can includepassReqToCallback
- Whether to pass the request object as the first argument of the verify function
verify
(required) - See description below
verify([req], clientId, clientSecret, username, password, verified)
- req(optional) - Only present if
passReqToCallback
was set in the constructor options. The request that started this verfify - clientId - A client id that was provided by the client, if any
- clientSecret - The client secret that was provided by the client, if any
- refreshToken - The refresh token that was issued to the client
- verified - A function of the type
func(error, client, user, info)
- error (Error) - an error object, if an exception occurred
- client (Required) - a client object. If there is no client,
{}
is acceptable - authCode (Required) - an object representative of the access code/refresh token
- info (Optional) - any additional information that should be passed back to the client. Examples include:
created_at
- a timestamp indicating when the token was createdexpires
- a timestamp indicating when the token will expireexpires_in
- a duration in seconds indicating the TTL (time to live) of the token
passport.use(
'oauth2-refresh-token',
new RefreshTokenStrategy(
async (clientId, clientSecret, refreshToken, done) => {
let client = { id: null, secret: null };
try {
if (clientId) {
client = await getClient(clientId, clientSecret);
if (!client) {
return done(null, null, null);
}
}
const authCode = await getAuthorizationCode(clientId, refreshToken);
if (!authCode || authCode.isExpired()) {
return done(null, null, null);
}
return done(null, client, authCode);
} catch (err) {
return done(err);
}
},
),
);
Based upon passport-oauth2-resource-owner-password is now at git.daplie.com/coolaj86/passport-oauth2-resource-owner-password, but since the original author marked it as having moved homes, and the new home was a dead link, I decided to update it from the last available version, fixing at least one bug and adding the refresh token strategy.