By Syed Rizwan

2-how-to-implement-oauth-20-in-a-nodejs-application-with-expressjs.html

How to Implement OAuth 2.0 in a Node.js Application with Express.js

In today's digital landscape, secure authentication and authorization are vital for any web application. OAuth 2.0 has emerged as a popular framework for granting third-party applications limited access to user accounts on an HTTP service. In this article, we will explore how to implement OAuth 2.0 in a Node.js application using Express.js. By the end, you will have a solid understanding of OAuth 2.0, its use cases, and a working example to integrate it into your application.

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts without sharing passwords. It allows third-party services to exchange information on behalf of users, enhancing security and improving user experience. Some common use cases include:

  • Social Media Logins: Allowing users to log in using their social media accounts (e.g., Google, Facebook).
  • API Access: Granting applications access to user data without exposing sensitive credentials.

Key Components of OAuth 2.0

Before diving into implementation, let’s outline the key components of OAuth 2.0:

  • Resource Owner: The user who owns the data.
  • Client: The application requesting access to the resource owner's data.
  • Authorization Server: The server that authenticates the resource owner and issues access tokens.
  • Resource Server: The server hosting the resource owner's data.

Setting Up Your Node.js Environment

To implement OAuth 2.0, you’ll need Node.js and Express.js set up in your development environment. If you haven't installed them yet, follow these steps:

  1. Install Node.js: Download and install Node.js from the official website.
  2. Create a new project: bash mkdir oauth-example cd oauth-example npm init -y
  3. Install Express and necessary dependencies: bash npm install express dotenv axios passport passport-google-oauth20 express-session

Creating Your Express.js Application

Now, let’s create a basic Express application with OAuth 2.0 integration.

Step 1: Set Up Your Application Structure

Create the following files in your project directory:

  • index.js: The main application file.
  • .env: For environment variables (like your OAuth credentials).

Step 2: Configure Environment Variables

In your .env file, add the following variables (replace placeholders with actual values from your OAuth provider):

GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret
SESSION_SECRET=your_session_secret

Step 3: Create the Express Application

In index.js, set up your basic Express server:

const express = require('express');
const session = require('express-session');
const passport = require('passport');
const GoogleStrategy = require('passport-google-oauth20').Strategy;
require('dotenv').config();

const app = express();

// Configure session
app.use(session({ secret: process.env.SESSION_SECRET, resave: false, saveUninitialized: true }));

// Initialize Passport
app.use(passport.initialize());
app.use(passport.session());

// Passport configuration
passport.use(new GoogleStrategy({
    clientID: process.env.GOOGLE_CLIENT_ID,
    clientSecret: process.env.GOOGLE_CLIENT_SECRET,
    callbackURL: "/auth/google/callback"
}, (accessToken, refreshToken, profile, done) => {
    // You can use the profile information here
    return done(null, profile);
}));

passport.serializeUser((user, done) => {
    done(null, user);
});

passport.deserializeUser((user, done) => {
    done(null, user);
});

// Routes
app.get('/', (req, res) => {
    res.send('<h1>Welcome</h1><a href="/auth/google">Login with Google</a>');
});

app.get('/auth/google', passport.authenticate('google', {
    scope: ['profile', 'email']
}));

app.get('/auth/google/callback', 
    passport.authenticate('google', { failureRedirect: '/' }),
    (req, res) => {
        // Successful authentication
        res.redirect('/profile');
    });

app.get('/profile', (req, res) => {
    if (!req.isAuthenticated()) {
        return res.redirect('/');
    }
    res.send(`<h1>Hello, ${req.user.displayName}</h1><a href="/logout">Logout</a>`);
});

app.get('/logout', (req, res) => {
    req.logout();
    res.redirect('/');
});

// Start the server
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Step 4: Testing the Application

  1. Run the application: bash node index.js
  2. Navigate to http://localhost:3000 in your browser.
  3. Click on the "Login with Google" link, which will redirect you to Google’s login page. After logging in, you will be redirected back to your application and see a welcome message with your name.

Troubleshooting Common Issues

  1. Redirect URI Mismatch: Ensure that the redirect URI in your Google developer console matches the one specified in your application (i.e., /auth/google/callback).
  2. Session Secret: If using sessions, make sure your session secret is correctly set in the .env file.
  3. OAuth Scopes: Ensure you are requesting the correct scopes based on the data you want to access.

Conclusion

Implementing OAuth 2.0 in your Node.js application using Express.js can significantly enhance security and user experience. By following the steps outlined in this article, you’ve learned how to set up an authentication flow using Google as an example. With this foundation, you can explore integrating other OAuth providers or customizing the application to meet your specific needs. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.