2

I'm trying to implement an OAuth2 code grant flow for native apps in my NodeJS server (Written in TypeScript). Part of the specification requires me to redirect to a private-use uri scheme. However, in the ExpressJS docs I see no such option. Is it possible?

Update

Added more details here

Eyal Ringort
  • 601
  • 6
  • 19

1 Answers1

0

Native apps typically implement this flow themselves. First the private URI scheme is registered with the operating system at installation time. The native app then opens the system browser and runs a code flow.

An authorization server typically does the backend work, by returning an authorization code on a URL such as this. The browser then notifies the native app, which picks up the code and completes the flow to get tokens:

x-mycompany-myapp:/callback?code=xxx&state=yyy

To see how a end to end flow works, you could maybe run my code sample.

AUTHORIZATION SERVER

ExpressJS is not designed for implementing the authorization server role, though it could be done in theory. Instead aim to use a free cloud or docker based authorization server. There are many subtleties to implementing such a system.

UPDATE

It seems your login page is an SPA that makes an Ajax request to post user credentials. You cannot redirect that since it will lead to CORS errors. A quick fix is to return a response URL in a JSON response payload, then in JavaScript set location.href to that value.

Note that the login flow in a real authorization server is quite a deep topic. Some behaviours are provided in the OAuth Threat Model.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • That's exactly what I'm doing - Using ExpressJS for implementing an authorization server... I'm familiar with the code grant flow :-) Using the url you wrote causes ExpressJS to navigate to the current domain with your url concatenated to it... I'm using Mac and there might be a need for double '/' (tried it but still having problems) – Eyal Ringort May 10 '23 at 14:38
  • Sounds like the private URI scheme is not registered on macOS. If it was the browser would present a prompt to return to the app. Have a look at the Registration section of the above blog post, and the SwiftDefaultApps tool, to see what app, if any, the scheme maps to. – Gary Archer May 10 '23 at 16:32
  • Or your code is not calling response.redirect correctly. Implementing a code flow correctly using ExpressJS would be a lot of work. I would recommend using a free cloud or docker based authorization server instead. – Gary Archer May 10 '23 at 17:30
  • I've already installed SwiftDefaultApps... Even when I register a new private URI using it I can't open the app using the URI nor can I open an already installed program URI (your URI does work). – Eyal Ringort May 11 '23 at 07:31
  • My task is to build the authorization server (we might migrate later on to a 3rd party provider) so I have to go ahead with implementing it – Eyal Ringort May 11 '23 at 07:32
  • I think I see your issue now, based on the other question. See the update section above. – Gary Archer May 15 '23 at 07:58
  • I wanted to relay on the User Agent to redirect the user, isn't it the better option? using JavaScript to redirect the user has worked and I use it for the time being, but it seems less secure since the code is visible to someone else (i.e. the JavaScript) other then the calling app. – Eyal Ringort May 15 '23 at 08:17
  • Well redirecting an Ajax client is not right. You need to redirect the top level window. Authorization servers don't do logins via Ajax requests, so don't have this problem. – Gary Archer May 15 '23 at 11:25
  • In that case - how do they do the login? I saw in your example it just returns a response with the code to the page - or am I missing something? – Eyal Ringort May 16 '23 at 05:37
  • Well a cookie based session is used for a number of requests, with state stored between them. Often a website based tech is used, that makes redirect responses and auto form posts easier for the browser to handle. In cases where the AS receives Ajax requests, the client must receive URLs and do more work to update location.href, as above. It is not insecure to do so, just the SPA equivalent. – Gary Archer May 16 '23 at 15:29
  • I'll have a session implemented later on. So I guess I'll keep the client doing the redirect (as you did in your sample project). – Eyal Ringort May 17 '23 at 05:26