Model Overview¶
OAuth2Server requires a model object through which some aspects of storage, retrieval and custom validation are abstracted.
Grant Types¶
RFC 6749 describes a number of grants for a client application to acquire an access token.
The following grant types are supported by oauth2-server:
Authorization Code Grant¶
An authorization code is a credential representing the resource owner’s authorization (to access its protected resources) which is used by the client to obtain an access token.
Model functions used by the authorization code grant:
- generateAccessToken(client, user, scope, [callback])
- generateRefreshToken(client, user, scope, [callback])
- generateAuthorizationCode(client, user, scope, [callback])
- getAuthorizationCode(authorizationCode, [callback])
- getClient(clientId, clientSecret, [callback])
- saveToken(token, client, user, [callback])
- saveAuthorizationCode(code, client, user, [callback])
- revokeAuthorizationCode(code, [callback])
- validateScope(user, client, scope, [callback])
Client Credentials Grant¶
The client can request an access token using only its client credentials (or other supported means of authentication) when requesting access to the protected resources under its control.
Note
The client credentials grant type must only be used by confidential clients.
Model functions used by the client credentials grant:
- generateAccessToken(client, user, scope, [callback])
- getClient(clientId, clientSecret, [callback])
- getUserFromClient(client, [callback])
- saveToken(token, client, user, [callback])
- validateScope(user, client, scope, [callback])
Refresh Token Grant¶
If the authorization server issued a refresh token to the client, the client can request a refresh of their authorization token.
Model functions used by the refresh token grant:
- generateRefreshToken(client, user, scope, [callback])
- getRefreshToken(refreshToken, [callback])
- getClient(clientId, clientSecret, [callback])
- saveToken(token, client, user, [callback])
- revokeToken(token, [callback])
Password Grant¶
The password grant is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form).
Model functions used by the password grant:
- generateAccessToken(client, user, scope, [callback])
- generateRefreshToken(client, user, scope, [callback])
- getClient(clientId, clientSecret, [callback])
- getUser(username, password, [callback])
- saveToken(token, client, user, [callback])
- validateScope(user, client, scope, [callback])
Extension Grants¶
The authorization server may also implement custom grant types to issue access (and optionally refresh) tokens.
See Extension Grants.
Request Authentication¶
The authorization server authenticates requests sent to the resource server by verifying the included bearer token.
Model functions used during request authentication: