So right now I’m implementing oauth2 in my server, but I just want to support the
client_credentials grant. The thing is, the node-oauth2-server says that supports this type of grant, and I pretty much debugged the whole library, and there are some things that doesn’t make sense to me.
As far as I understand, the
client_credentials grant should work like this:
- An internal request should be made to generate the
client_secretfor the client, this is the only time we will get the
client_secretand we should give this to our client
client_idshould be stored in database with any extra data (like the account id associated or something like this) and a hash of
client_secretso we can later validate it
- The client sends a request to the server including the
- The server should then generate an access token (in my case I will be using JWT) and return from the request. We also need to store this token in database so we can revoke the permission if needed
- The client must use this access token in future requests to access resources from server, and the server will validate on each request if the token is valid (didn’t expire, didn’t lose permissions, etc)
In my case I’m working with nodejs. Actually is a NestJS project, so I was trying to use this lib which is basically a wrapper for
node-oauth2-server, and if you take a look inside
node-oauth2-server, looks like they only support authorization codes, this is because the
AuthorizeHandler.handle() always returns an authorization code and
AuthenticateHandler.handle() always expects the authorization code and returns the access token. Basically I need to call the
AuthenticateHandler.handle() but instead of checking the authorization code, I must pass and check the
This is a recent issue which has the exact same issue than me: https://github.com/oauthjs/node-oauth2-server/issues/552
So, first, I want to confirm that I’m right and this lib have this implemented in a bad way, and second, is there any other nodejs lib that has
client_credentials built in?
As you’ve mentioned that it doesn’t support
client_credentials grant at the moment, you can still utilize the authorization code flow grant type internally to get the access token.
- Prepare client_credentials grant type request and submit to server.
- Map this request to authorization code flow with additional
attributes require for the
- Submit the request to Authorization server.
- Get the code from response.
- Prepare the token exchange call with the
- Get the
- Return the token in response to client_credentials call.
Answered By – harry
Answer Checked By – Timothy Miller (AngularFixing Admin)