Created
August 2, 2020 12:38
-
-
Save anishsujanani/03517ed067d8b1e6ab9d20591c5e1856 to your computer and use it in GitHub Desktop.
Custom OAuth - Token exchange
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // client applications would POST here | |
| // with a code that this server sent out earlier after resource-owner authentication | |
| app.post('/token', (req, res) => { | |
| // make sure that the code is still alive and can be exchanged | |
| if (code_token_cache[req.body.code]) { | |
| console.log('sending back token for code', code_token_cache[req.body.code]); | |
| // perform client app authentication here, they need to send over the 'client_secret' | |
| if (registered_clients[req.body.client_id].client_secret != req.body.client_secret) { | |
| res.send('Client failed authentication'); | |
| } | |
| // once client has been authenticated, sign a JWT containing the access token | |
| // with auth_server's private key. the public key is held by the client and can be used | |
| // to check integrity | |
| // also remove this code from auth_server cache so that replay attacks are not prevented | |
| // ie. one code can be exchanged for one token per resource-owner authentication | |
| else { | |
| var priv_key = fs.readFileSync('auth_server_priv.pem'); | |
| var signed_token = jwt.sign(code_token_cache[req.body.code], priv_key, { algorithm: 'RS256'}); | |
| console.log(signed_token); | |
| res.send(signed_token); | |
| delete code_token_cache[req.body.code]; | |
| } | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment