Hi all,
to be honest: I don't know if I am missing something from the big picture, if I do something wrong or if something is broken. Currently we have a home-brewed single-sign-on solution running which works fine but is not an industrial standard. That's why we plan moving to OAuth2. I am currently in a very early prototyping phase to find my way into OAuth2 and see what could how be done.
I started a small plain JS prototype project using express-oauth-server and followed the Documentation, the examples (also the additional example at https://github.com/14gasher/oauth-example as well as the original documentation at https://node-oauthoauth2-server.readthedocs.io/en/latest/model/spec.htm
Testing is done by a quickly setup Grafana-Docker-Container which has been configured to authorize via OAuth2.
[auth.generic_oauth]
enabled = true
name = OAuth
client_id = GrafanaDemo
client_secret = some_secret
scopes = user:email,read:org
auth_url = http://dev-vm:3001/login/oauth/authorize
token_url = http://dev-vm:3001/login/oauth/access_token
api_url = http://dev-vm:3001/user
Now when logging in my small prototype gets invoked. Specifically the model-function getClient(). That function is implemented with no real logic:
getClient : (clientId, clientSecret) => {
console.log(`getClient(${clientId}, ${clientSecret})`);
return new Promise((resolve, reject) => {
let client = {
id: clientId,
clientId: clientId,
clientSecret: clientSecret,
grants: [
"authorization_code",
"refresh_token"
],
redirectUris: [
"http://dev-vm:3000/login/generic_oauth" // Grafana redirect
]
};
resolve(client);
});
}
However, this renders an empty, dead page in the browser. Examining the call by using curl I get a HTTP-401 and no further redirect etc:
* Trying 127.0.1.1:3001...
* Connected to dev-vm (127.0.1.1) port 3001 (#0)
> GET /login/oauth/authorize?client_id=GrafanaDemo&redirect_uri=http%3A%2F%2Fdev-vm%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=user%3Aemail+read%3Aorg&state=zUFDlXkJUTCSaeqipcRm9HlviQ_iZ9075WjlAIFZ2ws%3D HTTP/1.1
> Host: dev-vm:3001
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< X-Powered-By: Express
< www-authenticate: Bearer realm="Service"
< Date: Tue, 10 Oct 2023 08:24:14 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
<
* Connection #0 to host dev-vm left intact
What am I doing wrong or am I missing something?
Additional Iinfo:
I implemented
- getClient()
- saveAuthorizationCode()
- getAccessToken()
- getAuthorizationCode()
- generateAuthorizationCode()
- verifyScope()
- getUser()
- getUserFromClient()
- generateAccessToken()
just to see if any other functions would be called (they don't). Also I debugged in @node-oauth/express-oauth-server and its dependency @node-oauth/oauth2-server to see what causes this error. I do not see anything fail inside.
Additional Info 2 (oh dear, it's been a long time since I filed a bug report):
Node: 18.17.1
Direct Dependencies:
- @node-oauth/express-oauth-server 3.0.1
- body-parser 1.20.2
- express 4.18.2