Merge pull request #464 from adieuadieu/implicit-grant-support

Implicit grant flow v3 (rebased #271)

Author: mjsalinger

README.md

@@ -20,7 +20,7 @@ The *oauth2-server* module is framework-agnostic but there are several officiall
 
 ## Features
 
-- Supports `authorization_code`, `client_credentials`, `refresh_token` and `password` grant, as well as *extension grants*, with scopes.
+- Supports `authorization_code`, `client_credentials`, `refresh_token`, `implicit` and `password` grant, as well as *extension grants*, with scopes.
 - Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)).
 - Fully [RFC 6749](https://tools.ietf.org/html/rfc6749.html) and [RFC 6750](https://tools.ietf.org/html/rfc6750.html) compliant.
 - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc.

docs/api/oauth2-server.rst

@@ -128,25 +128,27 @@ Authorizes a token request.
 
 **Arguments:**
 
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| Name                                    | Type            | Description                                                                 |
-+=========================================+=================+=============================================================================+
-| request                                 | :doc:`request`  | Request object.                                                             |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| [request.query.allowed=undefined]       | String          | ``'false'`` to deny the authorization request (see remarks section).        |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| response                                | :doc:`response` | Response object.                                                            |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| [options={}]                            | Object          | Handler options.                                                            |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| [options.authenticateHandler=undefined] | Object          | The authenticate handler (see remarks section).                             |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| [options.allowEmptyState=false]         | Boolean         | Allow clients to specify an empty ``state``.                                |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| [options.authorizationCodeLifetime=300] | Number          | Lifetime of generated authorization codes in seconds (default = 5 minutes). |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
-| [callback=undefined]                    | Function        | Node-style callback to be used instead of the returned ``Promise``.         |
-+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| Name                                    | Type            | Description                                                                    |
++=========================================+=================+================================================================================+
+| request                                 | :doc:`request`  | Request object.                                                                |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| [request.query.allowed=undefined]       | String          | ``'false'`` to deny the authorization request (see remarks section).           |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| response                                | :doc:`response` | Response object.                                                               |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| [options={}]                            | Object          | Handler options.                                                               |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| [options.authenticateHandler=undefined] | Object          | The authenticate handler (see remarks section).                                |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| [options.allowEmptyState=false]         | Boolean         | Allow clients to specify an empty ``state``.                                   |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| [options.authorizationCodeLifetime=300] | Number          | Lifetime of generated authorization codes in seconds (default = 5 minutes).    |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| [options.accessTokenLifetime=3600]      | Number          | Lifetime of generated implicit grant access token in seconds (default = 1 hr). |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
+| [callback=undefined]                    | Function        | Node-style callback to be used instead of the returned ``Promise``.            |
++-----------------------------------------+-----------------+--------------------------------------------------------------------------------+
 
 **Return value:**
 

docs/model/overview.rst

@@ -58,6 +58,23 @@ Model functions used by the client credentials grant:
 - :ref:`Model#getUserFromClient`
 - :ref:`Model#saveToken`
 - :ref:`Model#validateScope`
+--------
+
+.. _ImplicitGrant:
+
+Implicit Grant
+------------------------
+
+See :rfc:`Section 4.2 of RFC 6749 <6749#section-4.2>`.
+
+An implicit grant is used to obtain access tokens optimised for public clients known to operate a particular redirection URI. Usually used for browser-based clients implemented in JavaScript.
+
+Model functions used by the implicit grant:
+
+- :ref:`Model#generateAccessToken`
+- :ref:`Model#getClient`
+- :ref:`Model#saveToken`
+- :ref:`Model#validateScope`
 
 --------
 

docs/model/spec.rst

@@ -399,6 +399,7 @@ This model function is **required** for all grant types.
 
 - ``authorization_code`` grant
 - ``client_credentials`` grant
+- ``implicit`` grant
 - ``refresh_token`` grant
 - ``password`` grant
 
@@ -553,6 +554,7 @@ This model function is **required** for all grant types.
 
 - ``authorization_code`` grant
 - ``client_credentials`` grant
+- ``implicit`` grant
 - ``refresh_token`` grant
 - ``password`` grant
 
@@ -865,6 +867,7 @@ This model function is **optional**. If not implemented, any scope is accepted.
 
 - ``authorization_code`` grant
 - ``client_credentials`` grant
+- ``implicit`` grant
 - ``password`` grant
 
 **Arguments:**

lib/grant-types/implicit-grant-type.js

@@ -0,0 +1,88 @@
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var AbstractGrantType = require('./abstract-grant-type');
+var InvalidArgumentError = require('../errors/invalid-argument-error');
+var Promise = require('bluebird');
+var promisify = require('promisify-any').use(Promise);
+var util = require('util');
+
+/**
+ * Constructor.
+ */
+
+function ImplicitGrantType(options) {
+  options = options || {};
+
+  if (!options.model) {
+    throw new InvalidArgumentError('Missing parameter: `model`');
+  }
+
+  if (!options.model.saveToken) {
+    throw new InvalidArgumentError('Invalid argument: model does not implement `saveToken()`');
+  }
+
+  if (!options.user) {
+    throw new InvalidArgumentError('Missing parameter: `user`');
+  }
+
+  this.scope = options.scope;
+  this.user = options.user;
+
+  AbstractGrantType.call(this, options);
+}
+
+/**
+ * Inherit prototype.
+ */
+
+util.inherits(ImplicitGrantType, AbstractGrantType);
+
+/**
+ * Handle implicit token grant.
+ */
+
+ImplicitGrantType.prototype.handle = function(request, client) {
+  if (!request) {
+    throw new InvalidArgumentError('Missing parameter: `request`');
+  }
+
+  if (!client) {
+    throw new InvalidArgumentError('Missing parameter: `client`');
+  }
+
+  return this.saveToken(this.user, client, this.scope);
+};
+
+/**
+ * Save token.
+ */
+
+ImplicitGrantType.prototype.saveToken = function(user, client, scope) {
+  var fns = [
+    this.validateScope(user, client, scope),
+    this.generateAccessToken(client, user, scope),
+    this.getAccessTokenExpiresAt()
+  ];
+
+  return Promise.all(fns)
+    .bind(this)
+    .spread(function(scope, accessToken, accessTokenExpiresAt) {
+      var token = {
+        accessToken: accessToken,
+        accessTokenExpiresAt: accessTokenExpiresAt,
+        scope: scope
+      };
+
+      return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
+    });
+};
+
+/**
+ * Export constructor.
+ */
+
+module.exports = ImplicitGrantType;