Implementing GitHub Enterprise OAuth2 With Passport.js
Have you faced challenges in enabling users to authorize Github enterprise OAuth app using Node.Js?
OAuth is an authorization method to provide access to resources over the HTTP protocol. It can be used for authorization of various applications such as Github, Twitter, Facebook and many more.
Github enterprise provides OAuth 2.0 implementation to authorize the users to access its resources. While working with Node.js, you might have faced challenges in enabling the users of your application to access their Github enterprise resources. If yes, passport.js is a library that comes to your rescue.
Passport is an authentication middleware for Node.js. This module lets you authenticate using OAuth 2.0 in your Node.js applications.
This post includes GitHub enterprise OAuth2 authentication and authorization using passport.js. GitHub enterprise implements OAuth2 using standard authorization code grant type.
I will show you a brief demo and some code snippets that can be used in your client applications to authenticate and authorize a user to provide access to a particular GitHub resource.
A resource can be anything on GitHub that needs authorization from the resource owner, such as repository, branch, commit rights, etc.
The following diagram explains how OAuth2 implementation works:
1. Register OAuth Application On Github
To begin with, first you need to create an OAuth application on your GitHub enterprise site.
Go to “Settings” >> “Developer Settings” >> “OAuth Apps” >> “New OAuth Apps”.
Then provide the endpoint of your client application, I have given it as https://localhost:5000.
Also, mention “Authorization Callback URL” whose significance would be covered in the next section. It can be any custom endpoint.
This is the same endpoint where the resource owner redirects your client application after authentication in step 2 of the above flow diagram.
Once we have registered the OAuth application on GitHub, we will get a clientId and a clientSecret.
Note: These are the auth keys for your application. Save these keys but make sure you don’t publish them anywhere.
2) Get Grant From Github
Create a file and give it any name say passport.js.
GitHubStrategy in passport.js will make a GET call to http(s)://[hostname]/login/oauth/authorize to receive the grant from the resource owner.
Put the following contents in your file :
In the above code snippet, we are using GitHubStrategy of passport.js to get the grant from the resource owner. Remember that the expiry of the grant is 10 minutes. Once the expiry is reached, you won’t be able to use this grant code with the authorization server to get the access token.
Note: clientId and clientSecret are the keys you would have gotten after registering the GitHub application. Also, the callback URL should be the same as it was given while registering your application.
For scopes refer this.
3) Fetch Github Access Token
Since now you have a grant with you, you can call the authorization server, which will send the access token to your client application.
In the above code snippet few things need to be considered:
a) /github/auth/callback is the same callback URL that you had given while registering GitHub application in step 1).
b) grantCode is the grant returned in step 2).
c) We are saving the access_token in session as:
req.session.github_token = responseBody.access_token;
Your application is ready to use the access_token to access any resource on your GitHub enterprise, whose endpoints must begin with https://<enterpirse-github-domain>/api/v3.
Refer GitHub apis for accessing various resources.
