4

I am having some issues understanding how to implement the Resource Owners Password Flow with oAuth2rize and passport.js specifically with the transmission of the client_id and the client_secret so that i can do some checks on the client to ensure anything coming into this end point (/token) using the specific "password" grant type is specifically an official application and no others based on the id and secret.

When building out the solution i can get a token back, but that is before i have tried to do any validation on the client. When i try and access the client variable (posted to the end point) passed into the password exchange strategy i receive the user credentials (username, password) which based on documentation is expected but not what i need to achieve here.

I am at a loss to understand how i get the actual client credentials, i can see in the password function source code you can provide additional options to override the default assignment to req['user'] but does that mean i have to provide some sort of code to add to the req object?

I have setup some integration tests and here is how i am calling my endpoint (using SuperTest):

                request('http://localhost:43862')
                    .post('/oauth/token')
                    .type('form')
                    .send({ grant_type: 'password' })
                    .send({ client_id: 'goodClient' })
                    .send({ client_secret: 'asecret' })
                    .send({ username: 'good@user.com' })
                    .send({ password: 'goodpassword' })
                    .expect(200, done);

For some reason i seem to be completely over thinking this but for some reason am completely stumped....

4

1 回答 1

4

正如预期的那样,这是一个理解问题,我们使用本地策略而不是 ClientPasswordStrategy,在发布令牌之前在密码交换中进行用户验证。

我们现在使用 ClientPasswordStrategy 和 exchange.password 函数,我们正在调用和内部调用我们的用户 api 来验证用户凭据,如果可以,则发出令牌。

passport.use(new ClientPasswordStrategy(

function(clientId, clientSecret, next){

    Client.verify(clientId, clientSecret, function(err, verified){

        if(!verified){
            return next(null, false);
        }

        next(null, clientId);
    });

}
));

passport.use(new BearerStrategy(
function(token, next) {

    Token.getByToken(token, function(err, tokenObj){

        if(err)
            return next(err);

        if(!tokenObj)
            return next(null, false);

        User.getByUsername(tokenObj.username, function(err, user){

            return next(null, user, { scope: 'all' });
        });
    });
}
));
于 2013-05-21T14:35:25.107 回答