Authentication

Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. User authentication is a process that allows a device to verify the identity of someone who connects to a network resource. There are many technologies currently available to a network administrator to authenticate users.

OAuth

OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet. OAuth, which is pronounced “oh-auth,” allows an end user’s account information to be used by third-party services, such as Facebook, without exposing the user’s password.

OAuth 2.0 involves four grant types. Grant types indicate exactly how the third party is going to be authorized to access the resource owner’s data stored with the resource provider. Most of the grant types allow the third-party application to access the user’s data in the resource provider without that third party ever being aware of the credentials (login) of that user.

Our API will require an access token upon which third-party apps would be able to get random or specific quotes. Of course, this does not really need an OAuth authorization as the quotes do not have anything to do with the resource owner but it could have been a good candidate for OAuth if the users added the quotes to their account themselves and the third-party needed to view their quotes and process them in some way.

Grant Types in OAuth 2

Authorization Code – We have implemented this grant type in the API we will be building, so we will show live examples.

To get an authorization code the third-party has to redirect the user to the resource provider’s website using the GET request method and pass three parameters: response_type=code,client_id=THE_CLIENT_ID_WITH_THE_RESOURCE_PROVIDER, and redirect_uri=URL_WHERE_THE_CODE_WILL_BE_RETURNED.

Therefore, if http://infosecinstitute.com wants to get an authorization code for our quote API it should do a GET request like this: http://localhost:9999/oauth/authorise/?response_type=code&client_id=TBrFXOaLFOlcghpA&redirect_uri=http://www.infosecinstitute.com

If the user who is redirected to our localhost:9999 from infosecinstitute is already logged in with the site in localhost:9999,then he will end up being asked to confirm the delegation and he will be redirected to http://infosecinstitute.com with a GET parameter called code where the authorization code will be passed. If he is not logged in, he would be redirected to the login page while the GET parameters (response_type,client_id,redirect_uri) remain intact and after he logs in and be asked to confirm that he authorizes the app to access his data he will finally be redirected to the URL provided in redirect_uri with the code. InfoSec Institute can then use the code in the GET parameter to get an access token and use the quote API to get the quotes of that user and process them in any way it likes. Here is a sample result/response from our /oauth/authorise/ call if the redirect_uri is set to http://infosecinstitute.com: http://www.infosecinstitute.com/?code=f1756264ecf620d679aa625467908aa91fa59dcb.

Then, the third-party app could use what is in the GET code parameter to get an access token by providing the client id. The client secret that the third-party application received when registering itself as an app that works with the resource provider, the code itself and a grant type of authorization_code in a POST request to the resource provider.

Here is a request that we use in our API to get an access token from a received code.

PS C:\Users\Ivan> curl –noproxy localhost:9999 localhost:9999/oauth/token –data “client_id=pE1Qz7LSOzTPSbP4&client_secret=KaXS2LfnOUxXjTq5iikoz3LIgnPiM8&grant_type=authorization_code&code=3aa27400f59bddf55e39a396fa561f6d2a0f3277&redirect_uri=http://www.dimoff.biz”

We get the following JSON response:

{“token_type”:”bearer”,”access_token”:”31ae0ca214abbc4a303136dba375597f44933a69″,”expires_in”:86400}

You can see the POST request to localhost:9999/oauth/token with those parameters returns to us the access token that we can use to work with the user’s data and get the user’s quotes.

How to use an access token with a resource provider? – We can use an access token in two ways: either add it as a GET parameter to our API calls like this: curl “http://localhost:9999/api/random/?access_token=31ae0ca214abbc4a303136dba375597f44933a69”

This will return a JSON-encoded string with a quote and its movie title in our sample API: {“quote”:”[Elisabeth comments on how fast Patrick had begun sleeping with Holly when a\r\n guy comes out of her bedroom]\r\nPatrick Highsmith: What was that you were saying about 6 months of\r\n suffering?\r\nElisabeth: OK, so I’m a slut, you’re a slut, who wants coffee?\r\n\r\n\r\n”,”movieTitle”:” Doppelganger (1993)”}

If you want the access token not to be revealed in the URL and shown if the link is shared or in the browser’s history, you can do a request with Authorization header set to “Authorization: Bearer ACCESS_TOKEN”.

Here is an example of passing the token in a header using cURL:

PS C:\Users\Ivan> curl “http://localhost:9999/api/random/” -H “Authorization: Bearer 31ae0ca214abbc4a303136dba375597f44933a69”

Password Credentials – Using this grant type, applications can directly get an access token but would have to know the username and the password of the resource owner.

The third-party app has to make a POST request to the OAuth endpoint (in our case /oauth/token) with a HTTP Basic Auth header with contents being the app’s client id and client secret encoded in base64 and separated by a : (“Authorization: Basic CLIENT_ID:CLIENT_SECRET”). The app must also provide some POST data with the request – a grant type of password and the username and password of the resource owner who is delegating access.

Here is how we get an access token in our sample API with cURL:

PS C:\Users\Ivan> curl localhost:9999/oauth/token -H “Authorization: Basic cEUxUXo3TFNPelRQU2JQNDpLYVhTMkxmbk9VeFhqVHE1aWlrb3ozTElnblBpTTg=” –data “grant_type=password&username=tester2&password=tester2”

A sample response would be:

{“token_type”:”bearer”,”access_token”:”fc415000a8cf06ad2688b1421fa64f6ab24c44de”,”expires_in”:86400}

node-oauth

A simple oauth API for node.js . This API allows users to authenticate against OAUTH providers, and thus act as OAuth consumers. It also has support for OAuth Echo, which is used for communicating with 3rd party media providers such as TwitPic and yFrog.

Tested against Twitter (http://twitter.com), term.ie (http://term.ie/oauth/example/), TwitPic, and Yahoo!

Also provides rudimentary OAuth2 support, tested against facebook, github, foursquare, google and Janrain. For more complete usage examples please take a look at connect-auth (http://github.com/ciaranj/connect-auth)

Pair on Thinkful

Installation

$ npm install oauth

Examples

To run examples/tests install Mocha $ npm install -g mocha and run $ mocha you-file-name.js:

describe(‘OAuth2’,function(){

var OAuth = require(‘oauth’);

it(‘gets bearer token’, function(done){

var OAuth2 = OAuth.OAuth2;

var twitterConsumerKey = ‘your key’;

var twitterConsumerSecret = ‘your secret’;

var oauth2 = new OAuth2(server.config.keys.twitter.consumerKey,

twitterConsumerSecret,

‘https://api.twitter.com/’,

null,

‘oauth2/token’,

null);

oauth2.getOAuthAccessToken(

”,

{‘grant_type’:’client_credentials’},

function (e, access_token, refresh_token, results){

console.log(‘bearer: ‘,access_token);

done();

});

});

Node.js Security
JSON Web Tokens (JWT)

Get industry recognized certification – Contact us

keyboard_arrow_up
Open chat
Need help?
Hello 👋
Can we help you?