Gathering detailed insights and metrics for grant
Gathering detailed insights and metrics for grant
Gathering detailed insights and metrics for grant
Gathering detailed insights and metrics for grant
npm install grant
95.9
Supply Chain
99.2
Quality
75.5
Maintenance
50
Vulnerability
100
License
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
4,103 Stars
1,190 Commits
257 Forks
50 Watching
1 Branches
53 Contributors
Updated on 27 Nov 2024
JavaScript (100%)
Cumulative downloads
Total Downloads
Last day
-1%
31,316
Compared to previous day
Last week
-2.1%
184,916
Compared to previous week
Last month
4.1%
805,437
Compared to previous month
Last year
-13.6%
9,171,216
Compared to previous year
3
24
4
OAuth Proxy
23andme
| 500px
| acton
| acuityscheduling
| adobe
| aha
| alchemer
| amazon
| angellist
| apple
| arcgis
| asana
| assembla
| atlassian
| auth0
| authentik
| authentiq
| authing
| autodesk
| aweber
| axosoft
| baidu
| basecamp
| battlenet
| beatport
| bitbucket
| bitly
| box
| buffer
| campaignmonitor
| cas
| cheddar
| clio
| cognito
| coinbase
| concur
| constantcontact
| coursera
| crossid
| dailymotion
| deezer
| delivery
| deputy
| deviantart
| digitalocean
| discogs
| discord
| disqus
| docusign
| dribbble
| dropbox
| ebay
| echosign
| ecwid
| edmodo
| egnyte
| etsy
| eventbrite
| evernote
| eyeem
| facebook
| familysearch
| feedly
| figma
| fitbit
| flickr
| formstack
| foursquare
| freeagent
| freelancer
| freshbooks
| fusionauth
| garmin
| geeklist
| genius
| getbase
| getpocket
| gitbook
| github
| gitlab
| gitter
| goodreads
| google
| groove
| gumroad
| harvest
| hellosign
| heroku
| homeaway
| hootsuite
| huddle
| ibm
| iconfinder
| idme
| idonethis
| imgur
| infusionsoft
| instagram
| intuit
| jamendo
| jumplead
| kakao
| keycloak
| line
| linkedin
| live
| livechat
| logingov
| lyft
| mailchimp
| mailup
| mailxpert
| mapmyfitness
| mastodon
| medium
| meetup
| mendeley
| mention
| microsoft
| mixcloud
| moxtra
| myob
| naver
| nest
| netlify
| nokotime
| notion
| nylas
| okta
| onelogin
| openstreetmap
| optimizely
| osu
| patreon
| paypal
| phantauth
| pinterest
| plurk
| podio
| procore
| producthunt
| projectplace
| pushbullet
| qq
| ravelry
| redbooth
| reddit
| runkeeper
| salesforce
| sellsy
| shoeboxed
| shopify
| skyrock
| slack
| slice
| smartsheet
| smugmug
| snapchat
| snowflake
| socialpilot
| socrata
| soundcloud
| spotify
| square
| stackexchange
| stocktwits
| stormz
| storyblok
| strava
| stripe
| surveymonkey
| surveysparrow
| thingiverse
| ticketbud
| tiktok
| timelyapp
| todoist
| trakt
| traxo
| trello
| tripit
| trustpilot
| tumblr
| twitch
| twitter
| typeform
| uber
| unbounce
| underarmour
| unsplash
| untappd
| upwork
| uservoice
| vend
| venmo
| vercel
| verticalresponse
| viadeo
| vimeo
| visualstudio
| vk
| wechat
| weekdone
| weibo
| withings
| wordpress
| workos
| wrike
| xero
| xing
| yahoo
| yammer
| yandex
| zendesk
| zoom
1var express = require('express') 2var session = require('express-session') 3var grant = require('grant').express() 4 5var app = express() 6// REQUIRED: any session store - see /examples/handler-express 7app.use(session({secret: 'grant'})) 8// mount grant 9app.use(grant({/*configuration - see below*/}))
1var Koa = require('koa') 2var session = require('koa-session') 3var grant = require('grant').koa() 4 5var app = new Koa() 6// REQUIRED: any session store - see /examples/handler-koa 7app.keys = ['grant'] 8app.use(session(app)) 9// mount grant 10app.use(grant({/*configuration - see below*/}))
1var Hapi = require('hapi') 2var yar = require('yar') 3var grant = require('grant').hapi() 4 5var server = new Hapi.Server() 6server.register([ 7 // REQUIRED: any session store - see /examples/handler-hapi 8 {plugin: yar, options: {cookieOptions: {password: 'grant', isSecure: false}}}, 9 // mount grant 10 {plugin: grant({/*configuration - see below*/})} 11])
1var fastify = require('fastify') 2var cookie = require('@fastify/cookie') 3var session = require('@fastify/session') 4var grant = require('grant').fastify() 5 6fastify() 7 .register(cookie) 8 .register(session, {secret: 'grant', cookie: {secure: false}}) 9 .register(grant({/*configuration - see below*/}))
1var grant = require('grant').aws({ 2 config: {/*configuration - see below*/}, session: {secret: 'grant'} 3}) 4 5exports.handler = async (event) => { 6 var {redirect, response} = await grant(event) 7 return redirect || { 8 statusCode: 200, 9 headers: {'content-type': 'application/json'}, 10 body: JSON.stringify(response) 11 } 12}
1var grant = require('grant').azure({ 2 config: {/*configuration - see below*/}, session: {secret: 'grant'} 3}) 4 5module.exports = async (context, req) => { 6 var {redirect, response} = await grant(req) 7 return redirect || { 8 status: 200, 9 headers: {'content-type': 'application/json'}, 10 body: JSON.stringify(response) 11 } 12}
1var grant = require('grant').gcloud({ 2 config: {/*configuration - see below*/}, session: {secret: 'grant'} 3}) 4 5exports.handler = async (req, res) => { 6 var {response} = await grant(req, res) 7 if (response) { 8 res.statusCode = 200 9 res.setHeader('content-type', 'application/json') 10 res.end(JSON.stringify(response)) 11 } 12}
1var grant = require('grant').vercel({ 2 config: {/*configuration - see below*/}, session: {secret: 'grant'} 3}) 4 5module.exports = async (req, res) => { 6 var {response} = await grant(req, res) 7 if (response) { 8 res.statusCode = 200 9 res.setHeader('content-type', 'application/json') 10 res.end(JSON.stringify(response)) 11 } 12}
express / koa / hapi / fastify / aws / azure / gcloud / vercel
1{ 2 "defaults": { 3 "origin": "http://localhost:3000", 4 "transport": "session", 5 "state": true 6 }, 7 "google": { 8 "key": "...", 9 "secret": "...", 10 "scope": ["openid"], 11 "nonce": true, 12 "custom_params": {"access_type": "offline"}, 13 "callback": "/hello" 14 }, 15 "twitter": { 16 "key": "...", 17 "secret": "...", 18 "callback": "/hi" 19 } 20}
http://localhost:3000
| https://site.com
...callback
routegoogle
| twitter
...
consumer_key
or client_id
of your OAuth appconsumer_secret
or client_secret
of your OAuth app/hello
| https://site.com/hey
...Key | Location | Description |
---|---|---|
Authorization Server | ||
request_url | oauth.json | OAuth 1.0a only, first step |
authorize_url | oauth.json | OAuth 2.0 first step, OAuth 1.0a second step |
access_url | oauth.json | OAuth 2.0 second step, OAuth 1.0a third step |
oauth | oauth.json | OAuth version number |
scope_delimiter | oauth.json | String delimiter used for concatenating multiple scopes |
token_endpoint_auth_method | [provider] | Authentication method for the token endpoint |
token_endpoint_auth_signing_alg | [provider] | Signing algorithm for the token endpoint |
Client Server | ||
origin | defaults | Where your client server can be reached |
prefix | defaults | Path prefix for the Grant internal routes |
state | defaults | Random state string for OAuth 2.0 |
nonce | defaults | Random nonce string for OpenID Connect |
pkce | defaults | Toggle PKCE support |
response | defaults | Response data to receive |
transport | defaults | A way to deliver the response data |
callback | [provider] | Relative or absolute URL to receive the response data |
overrides | [provider] | Static configuration overrides for a provider |
dynamic | [provider] | Configuration keys that can be overridden dynamically over HTTP |
Client App | ||
key client_id consumer_key | [provider] | The client_id or consumer_key of your OAuth app |
secret client_secret consumer_secret | [provider] | The client_secret or consumer_secret of your OAuth app |
scope | [provider] | List of scopes to request |
custom_params | [provider] | Custom authorization parameters and their values |
subdomain | [provider] | String to embed into the authorization server URLs |
public_key | [provider] | Public PEM or JWK |
private_key | [provider] | Private PEM or JWK |
redirect_uri | generated | Absolute redirect URL of the OAuth app |
Grant | ||
name | generated | Provider's name |
[provider] | generated | Provider's name as key |
profile_url | profile.json | User profile URL |
Key | Location | Value |
---|---|---|
Authorization Server | ||
request_url | oauth.json | 'https://api.twitter.com/oauth/request_token' |
authorize_url | oauth.json | 'https://api.twitter.com/oauth/authenticate' |
access_url | oauth.json | 'https://api.twitter.com/oauth/access_token' |
oauth | oauth.json | 2 1 |
scope_delimiter | oauth.json | ',' ' ' |
token_endpoint_auth_method | [provider] | 'client_secret_post' 'client_secret_basic' 'private_key_jwt' |
token_endpoint_auth_signing_alg | [provider] | 'RS256' 'ES256' 'PS256' |
Client Server | ||
origin | defaults | 'http://localhost:3000' https://site.com |
prefix | defaults | '/connect' /oauth '' |
state | defaults | true |
nonce | defaults | true |
pkce | defaults | true |
response | defaults | ['tokens', 'raw', 'jwt', 'profile'] |
transport | defaults | 'querystring' 'session' 'state' |
callback | [provider] | '/hello' 'https://site.com/hi' |
overrides | [provider] | {something: {scope: ['..']}} |
dynamic | [provider] | ['scope', 'subdomain'] |
Client App | ||
key client_id consumer_key | [provider] | '123' |
secret client_secret consumer_secret | [provider] | '123' |
scope | [provider] | ['openid', '..'] |
custom_params | [provider] | {access_type: 'offline'} |
subdomain | [provider] | 'myorg' |
public_key | [provider] | '..PEM..' '{..JWK..}' |
private_key | [provider] | '..PEM..' '{..JWK..}' |
redirect_uri | generated | 'http://localhost:3000/connect/twitter/callback' |
Grant | ||
name | generated | name: 'twitter' |
[provider] | generated | twitter: true |
profile_url | profile.json | 'https://api.twitter.com/1.1/users/show.json' |
Grant relies on configuration gathered from 6 different places:
The first place Grant looks for configuration is the built-in oauth.json file located in the config folder.
The second place Grant looks for configuration is the defaults
key, specified in the user's configuration. These defaults are applied for every provider in the user's configuration.
The third place for configuration is the provider itself. All providers in the user's configuration inherit every option defined for them in the oauth.json file, and all options defined inside the defaults
key. Having oauth.json file and a defaults
configuration is only a convenience. You can define all available options directly for a provider.
The fourth place for configuration are the provider's overrides
. The static overrides inherit their parent provider, essentially creating new provider of the same type.
The fifth place for configuration is the dynamic state override. The request/response lifecycle state of your HTTP framework of choice can be used to dynamically override configuration.
The sixth place for configuration, that potentially can override all of the above, and make all of the above optional, is the dynamic
HTTP override.
The origin
is where your client server can be reached:
1{ 2 "defaults": { 3 "origin": "http://localhost:3000" 4 } 5}
You login by navigating to the /connect/:provider
route where :provider
is a key in your configuration, usually one of the officially supported ones, but you can define your own as well. Additionally you can login through a static override defined for that provider by navigating to the /connect/:provider/:override?
route.
By default Grant operates on the following two routes:
/connect/:provider/:override?
/connect/:provider/callback
However, the default /connect
prefix can be configured:
1{ 2 "defaults": { 3 "origin": "http://localhost:3000", 4 "prefix": "/oauth" 5 } 6}
The redirect_uri
of your OAuth app should follow this format:
[origin][prefix]/[provider]/callback
Where origin
and prefix
have to match the ones set in your configuration, and provider
is a provider key found in your configuration.
For example: http://localhost:3000/connect/google/callback
This redirect URI is used internally by Grant. Depending on the transport
being used you will receive the response data in the callback
route or absolute URL configured for that provider.
Some providers may employ custom authorization parameters that you can configure using the custom_params
key:
1{ 2 "google": { 3 "custom_params": {"access_type": "offline", "prompt": "consent"} 4 }, 5 "reddit": { 6 "custom_params": {"duration": "permanent"} 7 }, 8 "trello": { 9 "custom_params": {"name": "my app", "expiration": "never"} 10 } 11}
The openid
scope is required, and generating a random nonce
string is optional but recommended:
1{ 2 "google": { 3 "scope": ["openid"], 4 "nonce": true 5 } 6}
Grant does not verify the signature of the returned id_token
by default.
However, the following two claims of the id_token
are being validated:
aud
- is the token intended for my OAuth app?nonce
- does it tie to a request of my own?PKCE can be enabled for all providers or for a specific provider only:
1{ 2 "google": { 3 "pkce": true 4 } 5}
Providers that do not support PKCE will ignore the additional parameters being sent.
Provider sub configurations can be configured using the overrides
key:
1{ 2 "github": { 3 "key": "...", "secret": "...", 4 "scope": ["public_repo"], 5 "callback": "/hello", 6 "overrides": { 7 "notifications": { 8 "key": "...", "secret": "...", 9 "scope": ["notifications"] 10 }, 11 "all": { 12 "scope": ["repo", "gist", "user"], 13 "callback": "/hey" 14 } 15 } 16 } 17}
Navigate to:
/connect/github
to request the public_repo scope
/connect/github/notifications
to request the notifications scope
using another OAuth App (key
and secret
)/connect/github/all
to request a bunch of scope
s and also receive the response data in another callback
routeBy default the response data will be returned in your callback
route or absolute URL encoded as querystring.
Depending on the transport
being used the response data can be returned in the session
or in the state
object instead.
The amount of the returned data can be controlled by using the response
configuration.
1{ 2 id_token: '...', 3 access_token: '...', 4 refresh_token: '...', 5 raw: { 6 id_token: '...', 7 access_token: '...', 8 refresh_token: '...', 9 some: 'other data' 10 } 11}
The refresh_token
is optional. The id_token
is returned only for OpenID Connect providers requesting the openid
scope.
1{ 2 access_token: '...', 3 access_secret: '...', 4 raw: { 5 oauth_token: '...', 6 oauth_token_secret: '...', 7 some: 'other data' 8 } 9}
1{ 2 error: { 3 some: 'error data' 4 } 5}
By default Grant will encode the OAuth response data as querystring
in your callback
route or absolute URL:
1{ 2 "github": { 3 "callback": "https://site.com/hello" 4 } 5}
This is useful when using Grant as OAuth Proxy. However this final https://site.com/hello?access_token=...
redirect potentially may leak private data in your server logs, especially when sitting behind a reverse proxy.
For local callback
routes the session transport
is recommended:
1{ 2 "defaults": { 3 "transport": "session" 4 }, 5 "github": { 6 "callback": "/hello" 7 } 8}
This will make the OAuth response data available in the session
object instead:
1req.session.grant.response // Express 2ctx.session.grant.response // Koa 3req.yar.get('grant').response // Hapi 4req.session.grant.response // Fastify 5(await session.get()).grant.response // Serverless Function
The request/response lifecycle state
can be used as well:
1{ 2 "defaults": { 3 "transport": "state" 4 } 5}
In this case a callback
route is not needed, and it will be ignored if provided. The response data will be available in the request/response lifecycle state object instead:
1res.locals.grant.response // Express 2ctx.state.grant.response // Koa 3req.plugins.grant.response // Hapi 4res.grant.response // Fastify 5var {response} = await grant(...) // Serverless Function
By default Grant returns all of the available tokens and the raw
response data returned by the Authorization server:
1{ 2 id_token: '...', 3 access_token: '...', 4 refresh_token: '...', 5 raw: { 6 id_token: '...', 7 access_token: '...', 8 refresh_token: '...', 9 some: 'other data' 10 } 11}
When using the querystring transport
it might be a good idea to limit the response data:
1{ 2 "defaults": { 3 "response": ["tokens"] 4 } 5}
This will return only the tokens available, without the raw
response data.
This is useful when using Grant as OAuth Proxy. Encoding potentially large amounts of data as querystring can lead to incompatibility issues with some servers and browsers, and generally is considered a bad practice.
Using the session transport
is generally safer, but it also depends on the implementation of your session store.
In case your session store encodes the entire session in a cookie, not just the session ID, some servers may reject the HTTP request because of HTTP headers size being too big.
1{ 2 "google": { 3 "response": ["tokens"] 4 } 5}
This will return only the tokens available, without the raw
response data.
Grant can also return even larger response data by including the decoded JWT for OpenID Connect providers that return id_token
:
1{ 2 "google": { 3 "response": ["tokens", "raw", "jwt"] 4 } 5}
This will make the decoded JWT available in the response data:
1{ 2 id_token: '...', 3 access_token: '...', 4 refresh_token: '...', 5 raw: { 6 id_token: '...', 7 access_token: '...', 8 refresh_token: '...', 9 some: 'other data' 10 }, 11 jwt: {id_token: {header: {}, payload: {}, signature: '...'}} 12}
Make sure you include all of the response keys that you want to be returned when configuring the response
data explicitly.
Outside of the regular OAuth flow, Grant can also request the user profile:
1{ 2 "google": { 3 "response": ["tokens", "profile"] 4 } 5}
Additionaly a profile
key will be available in the response data:
1{ 2 access_token: '...', 3 refresh_token: '...', 4 profile: {some: 'user data'} 5}
The profile
key contains either the raw response data returned by the user profile endpoint or an error message.
Not all of the supported providers have their profile_url
set, and some of them might require custom parameters. Usually the user profile endpoint is accessible only when certain scope
s were requested.
Grant uses session to persist state between HTTP redirects occurring during the OAuth flow. This session, however, was never meant to be used as persistent storage, even if that's totally possible.
Once you receive the response data in your callback
route you are free to destroy that session.
However, there are a few session keys returned in your callback
route, that you may find useful:
Key | Availability | Description |
---|---|---|
provider | Always | The provider name used for this authorization |
override | Depends on URL | The static override name used for this authorization |
dynamic | Depends on request type | The dynamic override configuration passed to this authorization |
state | OAuth 2.0 only | OAuth 2.0 state string that was generated |
nonce | OpenID Connect only | OpenID Connect nonce string that was generated |
code_verifier | PKCE only | The code verifier that was generated for PKCE |
request | OAuth 1.0a only | Data returned from the first request of the OAuth 1.0a flow |
response | Depends on transport used | The final response data |
Every Grant instance have a config
property attached to it:
1var grant = Grant(require('./config')) 2console.log(grant.config)
You can use the config
property to alter the Grant's behavior during runtime without having to restart your server.
This property contains the generated configuration used internally by Grant, and changes made to that configuration affects the entire Grant instance!
The request/response lifecycle state can be used to alter configuration on every request:
1var state = {dynamic: {subdomain: 'usershop'}} 2res.locals.grant = state // Express 3ctx.state.grant = state // Koa 4req.plugins.grant = state // Hapi 5req.grant = state // Fastify 6await grant(..., state) // Serverless Function
This is useful in cases when you want to configure Grant dynamically with potentially sensitive data that you don't want to send over HTTP.
The request/response lifecycle state is not controlled by the dynamic
configuration, meaning that you can override any configuration key.
Any allowed dynamic
configuration key sent through HTTP GET/POST request will override the identical one set using a state override.
The dynamic
configuration allows certain configuration keys to be set dynamically over HTTP GET/POST request.
For example shopify
requires your shop name to be embedded into the OAuth URLs, so it makes sense to allow the subdomain
configuration key to be set dynamically:
1{ 2 "shopify": { 3 "dynamic": ["subdomain"] 4 } 5}
Then you can have a web form on your website allowing the user to specify the shop name:
1<form action="/connect/shopify" method="POST" accept-charset="utf-8"> 2 <input type="text" name="subdomain" value="" /> 3 <button>Login</button> 4</form>
Making a POST
request to the /connect/:provider/:override?
route requires a form body parser middleware:
1.use(require('body-parser').urlencoded({extended: true})) // Express 2.use(require('koa-bodyparser')()) // Koa 3.register(require('@fastify/formbody')) // Fastify
Alternatively you can make a GET
request to the /connect/:provider/:override?
route:
https://awesome.com/connect/shopify?subdomain=usershop
Any dynamic
configuration sent over HTTP GET/POST request overrides any other configuration.
In case you really want to, you can allow dynamic
configuration override of every configuration key for a provider:
1{ 2 "github": { 3 "dynamic": true 4 } 5}
And the most extreme case is allowing even non preconfigured providers to be used dynamically:
1{ 2 "defaults": { 3 "dynamic": true 4 } 5}
Essentially Grant is a completely transparent OAuth Proxy.
The origin
and the prefix
configuration is used to generate the correct redirect_uri
that Grant expects:
1{ 2 "defaults": { 3 "origin": "https://mysite.com" 4 }, 5 "google": {}, 6 "twitter": {} 7}
The above configuration is identical to:
1{ 2 "google": { 3 "redirect_uri": "https://mysite.com/connect/google/callback" 4 }, 5 "twitter": { 6 "redirect_uri": "https://mysite.com/connect/twitter/callback" 7 } 8}
Explicitly specifying the redirect_uri
overrides the one generated by default.
You can define your own provider by adding a key for it in your configuration. In this case all of the required configuration keys have to be specified:
1{ 2 "defaults": { 3 "origin": "http://localhost:3000" 4 }, 5 "awesome": { 6 "authorize_url": "https://awesome.com/authorize", 7 "access_url": "https://awesome.com/token", 8 "oauth": 2, 9 "key": "...", 10 "secret": "...", 11 "scope": ["read", "write"] 12 } 13}
Take a look at the oauth.json file on how various providers are being configured.
You can document your configuration by adding custom keys to it:
1{ 2 "google": { 3 "meta": { 4 "app": "My Awesome OAuth App", 5 "owner": "my_email@gmail.com", 6 "url": "https://url/to/manage/oauth/app" 7 } 8 } 9}
Note that meta
is arbitrary key, but it cannot be one of the reserved keys.
Grant supports different ways of instantiation:
1// Express or any other handler 2var grant = require('grant').express()(config) 3var grant = require('grant').express()({config, ...}) 4var grant = require('grant').express(config) 5var grant = require('grant').express({config, ...}) 6var grant = require('grant')({handler: 'express', config, ...})
Using the new
keyword is optional:
1var Grant = require('grant').express() 2var grant = Grant(config) 3var grant = new Grant(config)
Additionally Hapi accepts the configuration in two different ways:
1server.register([{plugin: grant(config)}]) 2server.register([{plugin: grant(), options: config}])
You can mount Grant under specific path prefix:
1// Express 2app.use('/oauth', grant(config)) 3// Koa - using koa-mount 4app.use(mount('/oauth', grant(config))) 5// Hapi 6server.register([{routes: {prefix: '/oauth'}, plugin: grant(config)}]) 7// Fastify 8server.register(grant(config), {prefix: '/oauth'})
In this case the prefix
configuration should reflect that + any other path parts that you may have:
1{ 2 "defaults": { 3 "origin": "http://localhost:3000", 4 "prefix": "/oauth/login" 5 } 6}
In this case you login by navigating to: http://localhost:3000/oauth/login/:provider
And the redirect_uri
of your OAuth app should be http://localhost:3000/oauth/login/:provider/callback
Optionally you can prefix your callback
routes as well:
1{ 2 "github": { 3 "callback": "/oauth/login/hello" 4 } 5}
The underlying HTTP client can be configured using the request
option:
1var grant = require('grant').express({ 2 config, 3 request: {agent, timeout: 5000} 4})
Fancy request logs are available too:
1npm i --save-dev request-logs 2DEBUG=req,res,json node app.js
Import Grant in your .mjs
files:
1import express from 'express' 2import session from 'express-session' 3import grant from 'grant' 4import config from './config.json' 5 6express() 7 .use(session({})) 8 .use(grant.express(config))
Importing a .json
file may require additional flag:
1node --experimental-json-modules app.mjs
Grant ships with extensive type definitions for TypeScript. Additonal type definitions and examples can be found here.
Some providers have dynamic URLs containing bits of user information embedded into them. Inside the main oauth.json configuration file such URLs contain a [subdomain]
token embedded in them.
The subdomain
option can be used to specify your company name, server region etc:
1"shopify": { 2 "subdomain": "mycompany" 3}, 4"battlenet": { 5 "subdomain": "us" 6}
Then Grant will generate the correct OAuth URLs:
1"shopify": { 2 "authorize_url": "https://mycompany.myshopify.com/admin/oauth/authorize", 3 "access_url": "https://mycompany.myshopify.com/admin/oauth/access_token" 4}, 5"battlenet": { 6 "authorize_url": "https://us.battle.net/oauth/authorize", 7 "access_url": "https://us.battle.net/oauth/token" 8}
Alternatively you can override the entire authorize_url
and access_url
in your configuration.
Some providers may have Sandbox URLs to use while developing your app. To use them just override the entire request_url
, authorize_url
and access_url
in your configuration (notice the sandbox
bits):
1"paypal": { 2 "authorize_url": "https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize", 3 "access_url": "https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice" 4}, 5"evernote": { 6 "request_url": "https://sandbox.evernote.com/oauth", 7 "authorize_url": "https://sandbox.evernote.com/OAuth.action", 8 "access_url": "https://sandbox.evernote.com/oauth" 9}
Very rarely you may need to override the redirect_uri
that Grant generates for you.
For example Feedly supports only http://localhost
as redirect URI of their Sandbox OAuth app, and it won't allow the correct http://localhost/connect/feedly/callback
URL:
1"feedly": { 2 "redirect_uri": "http://localhost" 3}
In this case you'll have to redirect the user to the [origin][prefix]/[provider]/callback
route that Grant uses to execute the last step of the OAuth flow:
1var qs = require('querystring') 2 3app.get('/', (req, res) => { 4 if (process.env.NODE_ENV === 'development' && 5 req.session.grant && 6 req.session.grant.provider === 'feedly' && 7 req.query.code 8 ) { 9 res.redirect(`/connect/${req.session.grant.provider}/callback?${qs.stringify(req.query)}`) 10 } 11})
As usual you will receive the response data in your final callback
route.
Ebay
Set the Redirect URI of your OAuth app as usual [origin][prefix]/[provider]/callback
. Then Ebay will generate a special string called RuName (eBay Redirect URL name) that you need to set as redirect_uri
in Grant:
1"ebay": { 2 "redirect_uri": "RUNAME" 3}
Flickr, Freelancer, Optimizely
Some providers are using custom authorization parameter to pass the requested scopes - Flickr perms
, Freelancer advanced_scopes
, Optimizely scopes
, but you can use the regular scope
option instead:
1"flickr": { 2 "scope": ["write"] 3}, 4"freelancer": { 5 "scope": ["1", "2"] 6}, 7"optimizely": { 8 "scope": ["all"] 9}
Mastodon
Mastodon requires the entire domain of your server to be embedded in the OAuth URLs. However you should use the subdomain
option:
1"mastodon": { 2 "subdomain": "mastodon.cloud" 3}
Openstreetmap
Openstreetmap OAuth 2.0 applications have to use the openstreetmap2
provider:
1"openstreetmap2": { 2 "state": true, 3 "scope": [ 4 "openid", 5 "read_prefs" 6 ] 7}
SurveyMonkey
Set your Mashery user name as key
and your application key as api_key
:
1"surveymonkey": { 2 "key": "MASHERY_USER_NAME", 3 "secret": "CLIENT_SECRET", 4 "custom_params": {"api_key": "CLIENT_ID"} 5}
Twitter OAuth 1.0a custom scope parameter can be specified in two ways:
1"twitter": { 2 "custom_params": {"x_auth_access_type": "read"} 3} 4"twitter": { 5 "scope": ["read"] 6}
Twitter OAuth 2.0 applications have to use the twitter2
provider:
1"twitter2": { 2 "state": true, 3 "pkce": true, 4 "scope": [ 5 "users.read", 6 "tweet.read" 7 ] 8}
VisualStudio
Set your Client Secret as secret
not the App Secret:
1"visualstudio": { 2 "key": "APP_ID", 3 "secret": "CLIENT_SECRET instead of APP_SECRET" 4}
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
Reason
0 existing vulnerabilities detected
Reason
3 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 6
Reason
Found 1/29 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
Reason
project is not fuzzed
Details
Reason
branch protection not enabled on development/release branches
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More