Meteor OAuth2.0 implementation for REST APIs

hassansardarlecodeur · April 21, 2020, 8:54pm

I have developed a centralized users database on Meteor and exposed the end points via REST APIs.
Everything is going perfect so far.

I used following package for REST APIs with Meteor:

nimble:restivus

Now I need to apply OAuth2.0 authentication on those end points.

Can anyone recommend the best package for Meteor that is nicely compatible?

jonlachlan · April 21, 2020, 9:24pm

Are you trying to be a client (login via Github, etc) or a provider (others authorize through you)?

hassansardarlecodeur · April 21, 2020, 9:37pm

“Others authorize through me”

I have the users database.

jamgold · April 21, 2020, 10:40pm

Have you looked on atmospherejs.com? I found rocketchat:oauth2-server which looks promising

jkuester · April 22, 2020, 8:08am

I forked the rocketchat oauth server as it uses an old version of the node-oauth2-server.
I updated it and integrated meteor and mongo, added tests etc. and wrote also a custom login handler.

This is all currently wrapped up here:

OAuth2server package: The trusted source for JavaScript packages, Meteor.js resources and tools | Atmosphere
Accounts-packages to work with custom OAuth2 server:

and I also had to authenticate a user on a remote ddp connection, so I also had to write a handler for this:

There is a full implementation of accounts server and apps that use this as authentication source here:

hassansardarlecodeur · April 22, 2020, 2:12pm

Is it fully compatible with server to server communication via rest apis?
I have a centralized server for managing users only,
And 5 different servers access my centralized users server via Rest Apis.
So would this package fulfill all my requirements?

hassansardarlecodeur · April 22, 2020, 9:14pm

I am using this package nimble:restivus for exposing REST APIs.

I have centralized server for users developed using Meteor 1.10

There are 5 other servers/applications which are accessing this centralized server just for user authentication and users information.

Currently I am authenticating user via:

Accounts._checkPassword(user, password)

All I need is to generate accessTokens and refreshTokens for my users and validate them.

I need a very basic functionality from oauth2 just to be used on server side.

jadus · July 2, 2020, 1:38pm

Hi, I’ve got a meteor app with user accounts (lets call it “A”) and I wan’t another (express) app (let’s call it “B”) to be able to “login with A” like you can “login with facebook”.
Flow is :

User has an account on A and is connected. (He logs there via facebook or email + password)
User goes to B (other domain, not meteor, other database, other company but partner)
User clicks on “login via A”
User clicks on a popup window from A to authorize connection
User is connected to B (an account is created if none is present) and B can request A for profile information

Does your package solves this ?

Thanks a lot

jkuester · July 2, 2020, 2:01pm

Hey @jadus

This is possible, but a bit bloated. The package is designed for Meteor apps, that act as a standalone OAuth2 server to authenticate multiple clients. However feel free to try it out, it should be all covered in the documentation.

Now this would still even be possible without the package, because the OAuth2 workflow is already implemented in the accounts-oauth package, which is a co-dependency on accounts-password.

The only thing you need to do is to configure your ServiceConfiguration with the right clientId and secret and have them configured in the OAuth authentication request and provide the right parameters in the request.

Let me know if you get stuck anywhere.

P.S. I am currently writing on a Meteor Microservices guide, that will also cover authentication across multiple applications.

jadus · July 2, 2020, 3:30pm

I don’t understant. Meteor is already designed to act as a oauth server ?

jkuester · July 2, 2020, 3:58pm

To the extend of the workflow that is required for a password-based login, yes. The accounts-oauth itself depends on the oauth package and it implements all the authentication related workflow: https://github.com/meteor/meteor/tree/devel/packages/oauth

I think to implement your workflow you basically need to know the auth url (which should be defined somewhere in one of these packages) and register your service as posted above.

Edit: I think there is a bit more, since you will have to register some http route that returns the user credentials in exchange of the token you provide. Maybe this is also somewhere defined?

The package I provide provides OAuth2 features beyond this workflow, which is why it may be too much for your use case.

By the way - If you get it running, it may be a good use-case for a nice tutorial or article

jadus · July 2, 2020, 4:34pm

I don’t understand why the rocket chat package is not exactly what I need :

This package is a implementation of the package node-oauth2-server for Meteor.

It implements the authorization_code and works like the Facebook’s OAuth popup.

Isn’t it what I want to do ?

Thanks for your help !

copleykj · July 2, 2020, 4:47pm

It seems to me to be exactly what you are looking for if you want to be an oauth provider rather than a consumer.

jadus · July 2, 2020, 5:05pm

Thanks a lot

And does this seem to be the case ? :

I’d like to be sure I’m not going in the wrong direction…

copleykj · July 2, 2020, 5:16pm

Yes I would definitely say you have a correct use case.