By Syed Rizwan

5-setting-up-oauth-20-in-a-nodejs-express-application.html

Setting Up OAuth 2.0 in a Node.js Express Application

In today's digital landscape, securing user authentication is more critical than ever. OAuth 2.0 is the industry-standard protocol for authorization, allowing third-party services to exchange user information without exposing passwords. In this article, we'll explore how to set up OAuth 2.0 in a Node.js Express application, complete with code examples and best practices to ensure a smooth implementation.

What is OAuth 2.0?

OAuth 2.0 is a protocol that allows applications to obtain limited access to user accounts on an HTTP service. It provides a way to gain access without sharing credentials, enhancing security and user experience.

Key Concepts

  • Authorization Grant: A credential representing the resource owner's authorization. Common types include Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.
  • Access Token: A token that the application uses to access the user's data.
  • Refresh Token: A token used to obtain a new access token without requiring the user to log in again.

Use Cases for OAuth 2.0

  • Social Login: Allow users to sign in using their Google, Facebook, or Twitter accounts.
  • Third-Party API Access: Enable applications to access user data from external services securely.
  • Mobile and Web Applications: Provide a seamless authentication experience across devices.

Prerequisites

Before we dive into the implementation, ensure you have the following:

  • Node.js and npm installed on your machine.
  • Basic knowledge of JavaScript and Express.
  • A registered application with an OAuth provider (e.g., Google, GitHub).

Step-by-Step Guide to Setting Up OAuth 2.0

1. Set Up Your Node.js Express Application

First, let's create a simple Express application. Open your terminal and run:

mkdir oauth-example
cd oauth-example
npm init -y
npm install express dotenv axios express-session passport passport-google-oauth20

Next, create a new file named server.js and set up a basic Express server:

// server.js
const express = require('express');
const session = require('express-session');
const passport = require('passport');
require('dotenv').config();

const app = express();
const PORT = process.env.PORT || 3000;

// Middleware
app.use(session({ secret: 'secret-key', resave: false, saveUninitialized: true }));
app.use(passport.initialize());
app.use(passport.session());

// Set up routes
app.get('/', (req, res) => {
    res.send('<h1>Welcome to OAuth 2.0 Example</h1><a href="/auth/google">Login with Google</a>');
});

app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

2. Configure Passport for Google OAuth

To integrate Google OAuth, we’ll configure Passport.js with the Google strategy. Create a new file named passport-setup.js:

// passport-setup.js
const passport = require('passport');
const GoogleStrategy = require('passport-google-oauth20').Strategy;

passport.use(
    new GoogleStrategy({
        clientID: process.env.GOOGLE_CLIENT_ID,
        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
        callbackURL: '/auth/google/callback',
    },
    (accessToken, refreshToken, profile, done) => {
        // Here you can save/handle user profile as needed
        return done(null, profile);
    })
);

// Serialize user
passport.serializeUser((user, done) => {
    done(null, user);
});

// Deserialize user
passport.deserializeUser((user, done) => {
    done(null, user);
});

3. Set Up OAuth Routes

Now, let’s add routes for Google authentication in server.js:

// server.js (continued)
require('./passport-setup');

app.get('/auth/google',
    passport.authenticate('google', {
        scope: ['profile', 'email'],
    })
);

app.get('/auth/google/callback',
    passport.authenticate('google', { failureRedirect: '/' }),
    (req, res) => {
        // Successful authentication
        res.redirect('/dashboard');
    }
);

app.get('/dashboard', (req, res) => {
    if (!req.isAuthenticated()) {
        return res.redirect('/');
    }
    res.send(`<h1>Hello ${req.user.displayName}</h1><a href="/logout">Logout</a>`);
});

app.get('/logout', (req, res) => {
    req.logout();
    res.redirect('/');
});

4. Environment Variables

For security, store sensitive information such as client ID and secret in a .env file in the root of your project:

GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret

5. Testing Your Application

Now that everything is set up, run your application:

node server.js

Navigate to http://localhost:3000 in your browser. Click the "Login with Google" link, and follow the prompts to authenticate. Upon successful login, you should be redirected to the dashboard displaying your name.

Troubleshooting Common Issues

  • Invalid Credentials: Ensure that your client ID and secret are correct in the .env file.
  • Redirect URI Mismatch: Verify that the callback URL set in the Google Developer Console matches the one in your application.
  • Session Issues: If sessions are not maintained, check your session configuration and make sure cookies are enabled in your browser.

Conclusion

Integrating OAuth 2.0 in your Node.js Express application enhances security and user experience by enabling seamless authentication. By following the steps outlined in this guide, you can quickly set up Google OAuth in your application and expand to other providers with similar approaches.

Now you can protect your application while providing users with a convenient way to authenticate. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.