OAuth 2.0 and OpenID Connect
Implement secure authentication flows for modern applications.
Understanding the Flows
- Authorization Code: Best for server-side apps
- PKCE: For SPAs and mobile apps
- Client Credentials: Machine-to-machine
Authorization Code Flow with PKCE
// Generate code verifier and challenge
function generatePKCE() {
const verifier = crypto.randomBytes(32).toString('base64url');
const challenge = crypto
.createHash('sha256')
.update(verifier)
.digest('base64url');
return { verifier, challenge };
}
// Step 1: Redirect to authorization server
const authUrl = new URL('https://auth.example.com/authorize');
authUrl.searchParams.set('client_id', CLIENT_ID);
authUrl.searchParams.set('redirect_uri', REDIRECT_URI);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('code_challenge', challenge);
authUrl.searchParams.set('code_challenge_method', 'S256');Token Exchange
// Step 2: Exchange code for tokens
const response = await fetch('https://auth.example.com/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: CLIENT_ID,
code: authorizationCode,
redirect_uri: REDIRECT_URI,
code_verifier: verifier,
}),
});
const { access_token, id_token, refresh_token } = await response.json();Validating ID Tokens
import jwt from 'jsonwebtoken';
import jwksClient from 'jwks-rsa';
const client = jwksClient({
jwksUri: 'https://auth.example.com/.well-known/jwks.json'
});
const decoded = jwt.verify(id_token, getKey, {
audience: CLIENT_ID,
issuer: 'https://auth.example.com',
});Always validate tokens server-side and use HTTPS for all OAuth communications.
Comments (0)
Leave a Comment
No comments yet. Be the first to share your thoughts!