This tutorial is an extension of my previous article, Using Passport.js and Mongoose for Local User Authentication. If you need help getting set up with local user authentication, please follow that article first.

OAuth2.0 gives your app the ability to work with content producers to share content between your services and their website. Integrating OAuth2.0 opens a large range of features you can integrate into your application, including a safe way to implement authentication inside a mobile application. Rather than storing usernames and passwords, applications can store safer access codes and tokens. Before we dive in, lets take a look at how OAuth2.0 works, and how Passport.js is set up to integrate OAuth2.0.

How OAuth2.0 Works

The first step in creating an open authentication layer into your app is setting up a zone for holding the requesting applications metadata. The primary information you need to hold is the applications site domain for verification of response redirect URLs, and an active/deactive switch so you can disable offending applications easily. Other features you can implement on your own (such as a website for developers to set up their applications on their own, display title, etc). Next, the requesting application sends users to a specific URL on your website that asks the user to login, and shows the user what permissions the application is requesting. The parameters given to your application here are the ID of the requesting application (client_id), the permissions the application is requesting (scope), and the URL to redirect upon completion or failure of the request (redirect_uri). This is where we’re going to validate the apps information against our database, and make sure the application isn’t asking for a scope we don’t support. We’ll display a login form with a button for logging in and accepting as one action, or just an Authorize button if they’re already signed in (similar to LinkedIn or Twitter’s OAuth pages, if you are familiar). After our user accepts the connection, we’ll generate and save a grant code into our database, and associate it with that user, which contains the application and that scope. Grant codes do not have an expiration date, however, more advanced applications give users the ability to revoke grant codes (and in doing so, invalidate request tokens as well). We are going to give the requesting application our grant code when we redirect them to their redirect URI. The requesting application should save the grant code in their database, as it will continuously be needed. Finally, the application will request a temporary request token that expires after approximately fifteen minutes to an hour by supplying the grant code we gave them, and a secret string that only that applications servers should hold. The application will continue to request these tokens as it tries to make a new request if it has no valid request tokens. The request token is what will be sent with every API call.

OAuth2.0 Web Flow

That’s it. Now we can move onto integrating this structure into our app.

Step 1: Database Schemas

To get started, we need a number of database schemas. I’m skipping much of the verbose details about how Mongoose works, as you probably already know. We are using the package uid2 for generating random strings. While adding oauth_id property to our application schema is not necessary (you could use Mongoose’s built-in Id property instead), we are using it to give integers rather than a random string as the application’s client ID (which will be used later). For simplicity’s sake, we’re not implementing auto-increment feature in this tutorial—checkout mongoose-auto-increment for details (note that field would be oauth_id).

var uid = require('uid2');

var ApplicationSchema = new Schema({
	title: { type: String, required: true },
	oauth_id: { type: Number, unique: true },
	oauth_secret: { type: String, unique: true, default: function() {
			return uid(42);
	domains: [ { type: String } ]
var GrantCodeSchema = new Schema({
	code: { type: String, unique: true, default: function() {
			return uid(24);
	user: { type: Schema.Types.ObjectId, ref: 'User' },
	application: { type: Schema.Types.ObjectId, ref: 'Application' },
	scope: [ { type: String } ],
	active: { type: Boolean, default: true }
var AccessTokenSchema = new Schema({
	token: { type: String, unique: true, default: function() {
			return uid(124);
	user: { type: Schema.Types.ObjectId, ref: 'User' },
	application: { type: Schema.Types.ObjectId, ref: 'Application' },
	grant: { type: Schema.Types.ObjectId, ref: 'GrantCode' },
	scope: [ { type: String }],
	expires: { type: Date, default: function(){
		var today = new Date();
		var length = 60; // Length (in minutes) of our access token
		return new Date(today.getTime() + length*60000);
	} },
	active: { type: Boolean, get: function(value) {
		if (expires < new Date() || !value) {
			return false;
		} else {
			return value;
	}, default: true }

var Application = mongoose.model('Application', ApplicationSchema);
var GrantCode = mongoose.model('GrantCode', GrantCodeSchema);
var AccessToken = mongoose.model('AccessToken', AccessTokenSchema);

Step 2: Implementing oauth2orize

The creator of Passport.js also manages plugins for handling OAuth2.0 authentication, named oauth2orize. This plugin helps implement OAuth2.0 easily into your application, however I have come to the conclusion that the documentation for oauth2orize is somewhat complex or incomplete. The oauth2orize plugin is set up to create a server, which is then configured for creating grant codes, creating request tokens, and serializing/deserializing the application into a browser session (for persisting information between multiple stages of user login and user acceptance to the requesting application). When the application requests a new request token from a grant code, we have to find the application model ourselves and inject it into the req variable as (oauth2orize confusingly calls requesting applications as ‘users’, and Passport.js is already using req.user for the actual user). We will take care of that when we get to exchanging codes, but that is the reason for { userProperty: 'app' } below.

var oauth2orize = require('oauth2orize');

var server = oauth2orize.createServer();

	scopeSeparator: [ ' ', ',' ]
}, function(application, redirectURI, user, ares, done) {
	var grant = new GrantCode({
		application: application,
		user: user,
		scope: ares.scope
	}); {
		done(error, error ? null : grant.code);
	userProperty: 'app'
}, function(application, code, redirectURI, done) {
	GrantCode.findOne({ code: code }, function(error, grant) {
		if (grant && && grant.application == {
			var token = new AccessToken({
				application: grant.application,
				user: grant.user,
				grant: grant,
				scope: grant.scope
			}); {
				done(error, error ? null : token.token, null, error ? null : { token_type: 'standard' });
		} else {
			done(error, false);
server.serializeClient(function(application, done) {
server.deserializeClient(function(id, done) {
	Application.findById(id, function(error, application) {
		done(error, error ? null : application);

Step 3: Writing our Authentication API

Now that our oauth2orize server is set up, and we’ve already implemented Passport.js user authentication into our app, setting up the pages for our users to accept or deny requesting applications is going to be much easier. We’re going to use /auth/start to start requests—this will be where requesting applications send users, and /auth/finish will be where we check through the request, generate grant codes, and send them back to the requesting application. For this example, I’m going to be using the Jade templating language. If you passed off Jade as an ugly language before giving it a chance (like me), I highly recommend giving it another chance, because it is the most amazing template engine I have ever used, and plus, it is easy to integrate with Express. We also have to listen for a URL parameter response_type, which tells our application what type of code the application is looking for (this tutorial only has instructions for code style grants). That parameter will need to follow the flow into the /auth/finish request. Note that I also am allowing the domains property in an Application include custom URL schemes (protocols), letting Applications redirect to their URL scheme and thus pop back into the application on a mobile device to complete the authentication (as long as that URL scheme is not http or https).

var url = require('url');

app.get('/auth/start', server.authorize(function(applicationID, redirectURI, done) {
	Application.findOne({ oauth_id: applicationID }, function(error, application) {
		if (application) {
			var match = false, uri = url.parse(redirectURI || '');
			for (var i = 0; i <; i++) {
				if ( ==[i] || (uri.protocol ==[i] && uri.protocol != 'http' && uri.protocol != 'https')) {
					match = true;
			if (match && redirectURI && redirectURI.length > 0) {
				done(null, application, redirectURI);
			} else {
				done(new Error("You must supply a redirect_uri that is a domain or url scheme owned by your app."), false);
		} else if (!error) {
			done(new Error("There is no app with the client_id you supplied."), false);
		} else {
}), function(req, res) {

	var scopeMap = {
		// ... display strings for all scope variables ...
		view_account: 'view your account',
		edit_account: 'view and edit your account',

	res.render('oauth', {
		transaction_id: req.oauth2.transactionID,
		currentURL: req.originalUrl,
		response_type: req.query.response_type,
		errors: req.flash('error'),
		scope: req.oauth2.req.scope,
		application: req.oauth2.client,
		user: req.user,
		map: scopeMap
});'/auth/finish', function(req, res, next) {
	if (req.user) {
	} else {
		passport.authenticate('local', {
			session: false
		}, function(error, user, info) {
			if (user) {
			} else if (!error) {
				req.flash('error', 'Your email or password was incorrect. Try again.');
		})(req, res, next);
}, server.decision(function(req, done) {
	done(null, { scope: req.oauth2.req.scope });

When someone requests /auth/start, we render a page named oauth. This page displays what permissions are being requested from the originating application, a login form if the user is not currently logged in with an Authorize button combining the two actions, or a simple Authorize button if they are already signed in. Here’s what the page looks like in Jade.

	h1.text-center!= 'Connect with ' + application.title
	form(method='post', action='/auth/finish')
		input(type='hidden', name='transaction_id', value=transaction_id)
		input(type='hidden', name='response_type', value=response_type)
		input(type='hidden', name='client_id', value=application.oauth_id)
		input(type='hidden', name='auth_url', value=currentURL)
		input(type='hidden', name='scope', value=scope.join(','))

			p= application.title + ' requires permission to '
				each item in scope
					if scope.indexOf(item) == scope.length-2
						!= '<strong>' + map[item] + '</strong> and '
						if scope.indexOf(item) == scope.length-1
							!= '<strong>' + map[item] + '</strong>'
							!= '<strong>' + map[item] + '</strong>, '
				| .
			if user
				p Click <em>Authorize</em> to allow this app to connect with your account.
				p Sign in below to allow this app to connect with your account.

		each message in errors
				p= message

		if user
				p.text-center!= 'Signed in as <strong>' + + '</strong>'
				a(href='/logout?next=' + encodeURIComponent(currentURL))= 'Not ' + + '?'
				button.btn.btn-default(type='submit') Authorize →
				label(for='email') Email address
				input.form-control#email(type='email', name='email', autofocus)
				label(for='password') Password
				p.small!= 'Your password will <strong>not</strong> be shared with <strong>' + application.title + '</strong>'
				input.form-control#password(type='password', name='password')
				button.btn.btn-default(type='submit') Authorize →

Step 4: Exchanging Grant Codes for Access Tokens

Grant codes are not actually the tokens that requesting applications are going to be using to get protected data. At this point, our server has already sent the user back to the originating application, and now it’s up to that application to get an access token for requesting data later. The originating application can request new access tokens countless times in the future as its access tokens expire or are invalidated in any way. This request is where the applications secret key is used. The applications secret key should be protected on the application’s server, and never exposed to users. oauth2orize expects us to implement an entirely new authentication method for applications into Passport.js, but personally, I believe that the Passport.js authentication methods should be reserved for authenticating users, rather than mixing them with methods for authenticating applications. The only benefit I see in using Passport.js for authentication is multiple ways for an application to validate itself. However, in number-of-lines of code and number-of-dependencies, it does not seem very beneficial. So I am writing middleware to inject the app to the variable myself.'/auth/exchange', function(req, res, next){
	var appID = req.body['client_id'];
	var appSecret = req.body['client_secret'];

	Application.findOne({ oauth_id: appID, oauth_secret: appSecret }, function(error, application) {
		if (application) { = application;
		} else if (!error) {
			error = new Error("There was no application with the Application ID and Secret you provided.");
		} else {
}, server.token(), server.errorHandler());

Step 4.5: Application Integration

Applications now have complete access to authenticate users. Here is where we would write a guide for app developers about how to use our new authentication server. URLs to authentication pages can be constructed like so:

When we redirect back to the applications redirect URI, we will include a code=GRANT_CODE URL parameter, or information about why the authorization attempt failed.

Step 5: Creating Authenticated API Endpoints

Now that our application can get a grant code and request token, we need to give that application access to some awesome protected API endpoints for actually doing cool stuff with our users and our data. While most of the actual APIs are going to be unique to you and your application, here is how we will be verifying that an applications access tokens look okay.

var PassportOAuthBearer = require('passport-http-bearer');

var accessTokenStrategy = new PassportOAuthBearer(function(token, done) {
	AccessToken.findOne({ token: token }).populate('user').populate('grant').exec(function(error, token) {
		if (token && && && token.user) {
			done(null, token.user, { scope: token.scope });
		} else if (!error) {p
			done(null, false);
		} else {


	passport.authenticate('bearer', { session: false }),
	function(req, res, next) {
		// ... Here we can do all sorts of cool things ...


That’s It!

Whoa. That was a lot of information to consume. But hey! You have a working application implementing user authentication, OAuth2.0 application authorization and protected API endpoints. How cool is that? If you have any questions about this article, please leave your feedback in the form below, or check out my Twitter—@hnryjms. Stay tuned for the next guide, where I show how to use Access Control to prevent applications with the wrong scope from accessing restricted API’s.

Up Next
An Expressive CMS for Node.js