OAuth2 Authentication

The OAuth2 strategy is only enabled if you pass in a top level config object other than local and token. Once a user has successfully authenticated, if they aren't in your database they get created, and a JSON Web Token (JWT) along with the current user are returned to use for future authentication with your feathers app.

Because OAuth relies on a series of redirects we need to get the user their JWT somehow without putting it in the query string, which is potentially insecure.

To solve this problem, Feathers redirects to a configurable successRedirect route and puts the user's JWT token in a cookie with the default name feathers-jwt. Your client side app can then parse the cookie for the token and use it to further authenticate. This is exactly what the client side component of the Feathers authentication module does for you automatically.

ProTip: Many other frameworks either use sessions for auth or if using a token + OAuth just shove the token in the query string. This is potentially insecure as an intermediary could be logging these URLs with the token in them, even over HTTPS.


Server Side

This is what a typical server setup looks like:

var FacebookStrategy = require('passport-facebook').Strategy;

  facebook: {
    strategy: FacebookStrategy,
    'clientID': 'your-facebook-client-id',
    'clientSecret': 'your-facebook-client-secret',
    'permissions': {
      authType: 'rerequest',
      'scope': ['public_profile', 'email']

OAuth2 Service Specific Options

All of the top level authentication options are passed to an OAuth2 authentication service and the passport strategies. If you need to customize your OAuth2 specific configuration you can use these options:

  • clientID (required) - Your OAuth2 clientID
  • clientSecret (required) - Your OAuth2 clientSecret
  • permissions (required) - An object with the permissions you are requesting. See your passport provider docs for details. state is set to true and session is set to false by default.
  • strategy (required) - The Passport OAuth strategy for your oauth provider (ie. passport-facebook)
  • tokenStrategy [optional] - The Passport OAuth token strategy if you want to support mobile authentication without a browser.
  • passReqToCallback (default: true) [optional] - A Passport option to pass the request object to the oauth callback handler.
  • endPoint (default: '/auth/') [optional] - This is the endpoint that your OAuth2 provider service is located at. For example, /auth/facebook.
  • callbackSuffix (default: 'callback') [optional] - This gets added to the provider endpoint to form the callback url. For example /auth/facebook/callback.

ProTip: Feathers just uses Passport authentication strategies so you can pass any strategy specific options in your provider config and it will be automatically passed on to the strategy you are using.

Client Side

Typically the only thing you need to do client-side is have a link or a redirect to your authentication provider's endpoint (ie. /auth/facebook).

The Feathers server will handle all the OAuth2 redirects, verification and will do a final redirect to the successRedirect endpoint, which by default is /auth/success. From there you would load your client side app and read the JWT token from the cookie and use it to authenticate. Using the Feathers client this all handled for you. It parses the JWT out of the cookie and places it in local storage. You simply need to call app.authenticate().

Using Feathers Client

The Feathers authentication module has a client side component that makes it very easy for you to add authentication to your app. It can be used in the browser, NodeJS and React Native. Refer to the feathers client authentication section for more detail.

Other Clients

Of course, if you don't want to use the feathers authentication client you can also just use vanilla sockets or ajax. It's a bit more work but honestly, not much more. We have some examples here.

results matching ""

    No results matching ""