What does Passport.js use the client_id and client_secret for?

3
votes

I'm implementing the OAuth2 resource owner password credentials grant with Passport.js and the oauth2-client-password strategy for an API, but I'm confused as to what the client_id and client_scret are supposed to be? The specs for the resource owner password credentials grant say:

The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body:

grant_type

    REQUIRED.  Value MUST be set to "password".

username

    REQUIRED.  The resource owner username.

password

    REQUIRED.  The resource owner password.

scope

    OPTIONAL.  The scope of the access request as described by
     Section 3.3.

But the Passport.js strategy is documented to be used like this:

passport.use(new ClientPasswordStrategy(
  function(clientId, clientSecret, done) {
    Clients.findOne({ clientId: clientId }, function (err, client) {
      if (err) { return done(err); }
      if (!client) { return done(null, false); }
      if (client.clientSecret != clientSecret) { return done(null, false); }
      return done(null, client);
    });
  }
));

So my question is, if the specs don't say anything about the client_id or client_secret being required, why is the oauth2-client-password strategy using the client_id and secret_id?

1
javascriptnode.jsauthenticationoauth-2.0passport.js
Glen, did you ever work this out? I'm wondering the same thing right now. The spec doesn't require client_id or client_secret, so I'm wondering why the strategy does.Mike
To be honest, I can't quite remember the basis for question anymore. As I look at it now, clientId and clientSecret are just arbitrary parameter names that could just have easily been username & password instead. With all the many passport modules, I wouldn't be surprised if there was some copying/pasting which might account for why the callback parameters have rather odd names. Does that help, or am I completely missing the point? (Sorry if I am, it's been a while since I was reading all about auth and Passportjs)Glen Selle
They seem to be arbitrary, but the strategy actually checks the body for presence of both the clientId and clientSecret. In any case, I was able to work this out. Still confused as to the presence of those checks, though.Mike
While researching the same thing I found a nice code example (Node.js) the provides a working model that may be helpful - aleksandrov.ws/2013/09/12/restful-api-with-nodejs-plus-mongodbBen

1 Answers

1
votes

I am guessing by now you have this but thought i would add an answer anyway.

  • ClientId is your id to match against your database
  • ClientSecret is the password that you will compare against the hash or encrypted password in your database.

Sample Code:

    Client.verify = function(clientId, secret, next){

    this.getByClientId(clientId, function(err, client){

    if(err) {
        return next(err);
    }

    if(!client){
        return next(null, false);
    }

    SecurityUtil.compare(secret, client.hash, function(err, result){

        if(err){
            return next(err);
        }

        next(null, result);

    });

    });

    };