First of all, congratulations for the great work on the plugin!
I'm curious as to why mapParams must be false. It is a really useful feature, but can't be used with the plugin.

From either an AngularJS app, or Postman (A Chrome Rest Client), when I send a POST request to /token, and the authentication fails, the browser (Chrome) pops open the basic authentication dialog.

Note: When authentication is successful, there is no popup. It's only when authentication fails.

From what I've read, it's caused by the 401 response.

Is there a way around this so authentication failure can be handled via javascript in the browser?

I'm noting my POST request in case it has to do with the issue.

POST /token HTTP/1.1
Host: localhost:3000
Content-Type: application/json
Authorization: Basic Zm9vOmJhcg==
Cache-Control: no-cache

{"grant_type":"client_credentials"}

Why can I not use a password grant_type without providing a Authorization header..

Hi,

I am trying to get the cc example working using the Advance rest client but cannot work it out.

Can you help..or provide a better example with more detail... e.g curl commands etc

I need to modify the response for the token endpoint. Is there any way to insert some middleware that runs after the token grant middleware?

Restify does not allow stacking middlewares for a specific route using multiple sequential calls to server.VERB. If that was the case, I could stack another middleware function onto the token grant route by adding a route handler after calling the restify-oauth2 hook:

require('restify-oauth2').ropc(options)
server.post("/token", function(req, res, next) {})

So is there a recommended way to accomplish this?

Hello!

I have stumbled upon a scenario where I need to get some information (ip and user agent) from the request object in the grantUserToken hook. However, it doesn't seem to be a way to do that at the moment?

I solved it by passing with req as an argument to options.hooks.grantUserToken and matching that change in my hook, but I really don't want to change the source code of the package if I don't have to.

Is there any other way I could achieve this?

Hi everyone,
¿ is it possible to set custom error messages within the ropc option.hooks? as i dont have access to res, the only way i found is to modify the ropc/grantToken.js file.

Regards

The framework will always check for a token on POST requests. Here is an example:

app.post('/user/create', userCreate);
app.get('/user/create', userCreate);

function userCreate(req, res) {
     res.json({json:'Jay SON'});
     return;
}

The get requests returns correctly, the post request returns the following:

{
  "code": "BadRequestError",
  "message": "Bearer token required. Follow the oauth2-token link to get one!"
}

Hi,

I would like to use both Authorization Grant CC and ROPC with same tokenEndpoint.

restifyOAuth2.cc(server, {tokenEndpoint: "/token", hooks: restifyOAuth2Hooks});

restifyOAuth2.ropc(server, {tokenEndpoint: "/token", hooks: restifyOAuth2RopcHooks});

What is the best way to setup or patch?

Regards,

Hi,

I'm not sure I'm approaching this right, but when using restify with restify-oauth2 to secure an api endpoint for Web app - I'm getting a login dialog (at least on Chrome). To battle that I forked and added a new option noWwwAuthenticate next to the tokenEndpoint, wwwAuthenticateRealm, etc. and then I have a logic to not set appropriate header in makeErrorSenders.js (for both setWwwAuthenticateHeader and setWwwAuthenticateHeaderWithoutErrorInfo). I think I overlooked something in the docs or/and usage specs. Do reckon there is a proper approach to it?

In case you find this useful - I can create a pull request.

All the default messages are written in English, it would be awesome to be able to translate them to other languages.

This is a low priority issue/question.

I see that I can pass in a value to the option tokenExpirationTime. However, I don't see how I can access that value within the grantClientToken function (passed in via hooks). I'd like to have that tokenExpirationTime value so that my generateToken function can do a calculation on it.

As I see things now, I have to hardcode that value in grantClientToken and authenticateToken. (NOTE: I'm using 'cc'.)

Can you advise?

BTW, thanks for writing this module. I enjoy working with it!

Please, can you made restify 4.x support?

Regards

I know this is crazy minimal, but I was working with your cc Example and noticed you use Object.freeze().

I looked into it and found this:

http://jsperf.com/performance-frozen-object

Apparently, that is a SCARY performance in Chrome, and I thought I'd bring it to your attention as well!

I am trying to grok the placement of this module in my application, because it appears to be the piece I am missing in my Restify/passport/passport-facebook app. With passport-facebook, I have the ability to have the user log in to Facebook, and when the user object is returned I can seek a match in my database and say "Oh hey yes, this user has a profile" or "no, create a profile" - but after that initial callback, I no longer have any authorization methods for my RESTful API.

Would I use restify-oauth2 in combination with passport and passport-facebook in order to achieve this, or do I just need to write a similar token passing mechanism that passport is completely missing?

Thanks!

I am trying to use node-oauth to do cc authentication against restify-oauth2

exports.authAppTokenHttp = testCase({
"Testing OAuth access over http" : function(test) {
       var oa = new OAuth2(
               '84545a68026413f860309e41e2d95e8cf17bf7bb52fadecdae0ad2189480e946',
               '054bddf87bb67685919410aec77d36166f0d84a7afc23152a1c9d0620cc64b8c',
               'http://localhost:19001/',
               null,
               'oauth2/app_request_token',
               null);
       
       oa.getOAuthAccessToken('', {'grant_type': 'client_credentials'}, function(error, access_token, refresh_token, result) {
           
           if (error) {
               console.log(error);
           }
           
           console.log('bearer: ', access_token);
           
           test.done();
       });
   }
});

I am getting:

{ statusCode: 400,
  data: '{"error":"invalid_request","error_description":"Must include a basic access authentication header."}' }

Are these two compatible?

I'm building a one-page react app and am using a REST API for everything. The REST API is being called from react, and is on a different domain. The /token endpoint requires auth or it fails the OPTIONS request. Is this necessary? Can't options return proper CORS without requiring auth (firefox won't pass along basic auth on a preflight) headers or can there be an option to force preflight CORS OPTIONS response on the /token endpoint? I don't think the OPTIONS should require auth.

Hi there,

Would you consider making the token type case insensitive as suggested by RFC6749? For instance, the Go implementation has already adopted case insensitivity.

I'm happy to make the change if you want me to. Thanks!

Can you test if this works with restify 3.x and update peerDependencies?

ServerHandler:log TypeError: Cannot read property 'scheme' of undefined
at Server.ccOAuth2Plugin (/home/mike_api/node_modules/restify-oauth2/lib/common/makeSetup.js:55:41)
at next (/home/mike_api/node_modules/restify/lib/server.js:745:30)
at f (/home/mike_api/node_modules/restify/node_modules/once/once.js:17:25)
at Server.bunyan (/home/mike_api/node_modules/restify/lib/plugins/bunyan.js:36:9)
at next (/home/mike_api/node_modules/restify/lib/server.js:745:30)
at f (/home/mike_api/node_modules/restify/node_modules/once/once.js:17:25)
at Server.restifyResponseHeaders (/home/mike_api/node_modules/restify/lib/plugins/full_response.js:97:17)
at next (/home/mike_api/node_modules/restify/lib/server.js:745:30)
at f (/home/mike_api/node_modules/restify/node_modules/once/once.js:17:25)
at Server.restifyCORSSimple (/home/mike_api/node_modules/restify/lib/plugins/cors.js:95:13) +0ms

Is there any interest in supporting some way of disabling the automatic addition of the /token route in order to support usage of restify-oauth2 in multiple servers on the same domain?

My use case is that I'd like to have a restify server running at mydomain.com/api/auth which has a /token route, and then multiple other servers running at other points which do not grant tokens, but use the restify-oauth2 library to validate tokens.

To be more explicit, I'm interested in something like this:

// ====== server running at mydomain.com/api/auth ======

var restify = require('restify'),
   restifyOauth2 = require('restify-oauth2');

// server setup ...

restifyOAuth2.cc(server, {includeTokenEndpoint: true});
server.listen(8080);

// ====== server running at mydomain.com/api/users ======

var restify = require('restify'),
   restifyOauth2 = require('restify-oauth2');

// server setup...

restifyOAuth2.cc(server, {includeTokenEndpoint: false});

server.get('/', function (req, res) {
   if (!req.clientId) {
      return res.sendUnauthenticated();
   }

   res.contentType = 'application/json';
   res.send({message: 'I can tell you got a token from the other server'});
});

server.listen(8090);

If there's interest, I'm happy to work on a pull request. Thanks!

Docs are referring to tokenEndpoint property, however in code there is no such.
Instead "endpoint" property is used.

Great module! This is a question rather than an issue.

I am building an API where we want to give the API user a key and secret. Then they use that key and secret to authenticate with our server and then can use the API however they like. They are not required to ask a real user for their username and password.

I would like to know if they supply the key for the clientId and username and the secret for the clientSecret and password like below, is that acceptable for my purpose?

validateClient(API_KEY, API_SECRET, cb)
grantToken(API_KEY, API_SECRET, cb) 

In other words, can I abuse the password credentials flow or should I be using a completely different flow for this use case?

In Restify v5.x all errors definitions were moved into the separate repository: restify-errors.

As a result, restify-oauth2 code requires refactoring as described here: http://restify.com/docs/home/#restify-errors

This is more of a question than an issue. I was able to get a token generated by POSTing /token with basic auth and grant_type = client_credentials, however, it is not clear to me how I can send the generated token to the initial resource ( / ). I always seem to get /public back in the response object. I tried sending access_token and token_type=Bearer in the headers and in the GET parameters without luck. How do you send the token and is there anything else required? Thanks for the great code!

Hi DD,

Great work on restify-oauth2, well written code. I'm working on a stack with Telerivet (SMS gateway) and restify + restify-oauth2. I'm running into an issue where the POST request (from Telerivet's webhook) doesn't have Basic xyz in the header. The clientid (actually a mobile phone number) and secret are in the body. Btw, I don't have control on the client request, it's 3rd party. I can think of these following options:

1. Hack the req object, sets the username & password property, in the server.pre
2. Implement some logic in the '/public' path (either issue the token directly or construct another request that conforms a standard post with Basic xyz header)
3. Simply change the restify-oauth2 lib source

Any ideas or suggestions would be greatly appreciated. Thanks. MLP

npm ERR! peerinvalid The package restify does not satisfy its siblings' peerDependencies requirements!
npm ERR! peerinvalid Peer [email protected] wants [email protected]

the link "example CC hooks" points to the ropc example in the README.md file