During my work to refactor one of my Node.js based app, I tried to dug deeper into OAuth2 authorization flows. There are 4 authorization flows. See here http://labs.hybris.com/2012/06/01/oauth2-authorization-code-flow/:
- Authorization Code Flow, aka Server-Side Flow or the ‘typical’ Oauth2 flow: this flow includes sending the client user via redirect to the provider’s login and authorization page, then will redirect back to your web application and pass a authorization code in the URL parameters.
- Resource Owner Password Flow: this flow is great for native mobile applications that you can trust. This flow includes sending the user’s username and password to the token endpoint in exchange for an access token.
- Client Credentials Flow: this flow identifies the client and give the client itself access to resources it owns and does not give the client access to users’ data.
Since my app is written with Node.js, first move is to see if there is Node.js modules that support all flows. Fortunately, passport support all of it. Here are some links for each flow (with the exception of the last, since it just about client data):
- Authorization Code Flow. https://rwlive.wordpress.com/2014/05/26/oauth2-authorization-grant-flow-using-oauth2orize-express-4-and-mongojs/
- Implicit Flow. https://rwlive.wordpress.com/2014/06/11/oauth2-implicit-flow-using-oauth2orize-express-4-and-mongojs/
- Resource Owner Password Flow. https://rwlive.wordpress.com/2014/06/24/oauth2-resource-owner-password-flow-using-oauth2orize-express-4-and-mongojs/