Secure a Node API with OAuth 2.0 Client Credentials

oktadev-blog · June 6, 2018, 4:55pm

This article shows how to secure a Node API with an OAuth 2.0 client credentials flow.

oktadev-blog · February 8, 2019, 8:09pm

Stephen Mansfield

Hello,

Having trouble with getting the second part of this tutorial working. Specifically the section “Test your Secure API”,

require(‘dotenv’).config() const request = require(‘request-promise’) const btoa = require(‘btoa’) const { ISSUER, TEST_CLIENT_ID, TEST_CLIENT_SECRET, DEFAULT_SCOPE } = process.env const test = async () => { const token = btoa(${TEST_CLIENT_ID}:${TEST_CLIENT_SECRET}) try { const { token_type, access_token } = await request({ uri: ${ISSUER}/v1/token, json: true, method: ‘POST’, headers: { authorization: Basic ${token}, }, form: { grant_type: ‘client_credentials’, scope: DEFAULT_SCOPE, }, }) const response = await request({ uri: ‘http://localhost:3000’, json: true, headers: { authorization: [token_type, access_token].join(’ ‘), }, }) console.log(response) } catch (error) { console.log(Error: ${error.message}) } } test()

When I execute the test.js I get a “TEST_ERROR: Error: Parse Error”. I am getting the correct token_type and access_token from Okta. When the second “request” is executed I get the error “TEST_Error: Error: Parse Error”. Below is the section of code that is failing.

const response = await request({ uri: ‘http://localhost:3000’, json: true, headers: { authorization: [token_type, access_token].join(’ '), }, })

It looks like its not liking the authorization header. The token_type and access_token look correct

authorization: Bearer eyJraWQiOiJoai1TdEl6eDlaUmRoaFpNeUlCalpRSkg2N3lsYkRCcmdJZ191ZkpycVZBIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnVPZHVaTHJ5YlM1dkszQkljVU5NSE00eThXcjQwUjFmMDZkSzdqLVIySHMiLCJpc3MiOiJodHRwczovL2phYmlsc2ttLm9rdGEuY29tL29hdXRoMi9hdXNhYzZ6NThoZmFyVTQzUzM1NiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImlhdCI6MTU0OTY1MTgwMywiZXhwIjoxNTQ5NzM4MjAzLCJjaWQiOiIwb2FhY2FxNzZqQjFWNjBMODM1NiIsInNjcCI6WyJzdWNoX3Njb3BlIl0sInN1YiI6IjBvYWFjYXE3NmpCMVY2MEw4MzU2In0.dCEsxinqWL2du88KdVFBCCSBuzkyL7JzdDjCKM1wBcWqUtpl8riLFtDzTXzokjS8sucuPmEv7iWTK3pEOzfkk0w6tV8bcjNV1tapdzlU-2jp6JhByEu39Fd_F8BpHkBGQVLoA15XsUZv2e7X2eQNzI66LiPHbCzb8o13PVVPLJumyMcpgbX2uWFFW_iPXvIqszzr1RSyj_ZDGISA1oCEJAuVLoCnuNwKe8gE3W7KQqKdI8kNIXQB5V0Hwhb-hWWxNfqD33wt5icd_HtFJog6PHNH6MpD0Xuzzr9vpS0zwSwTUVjZno-WwbYmDIQrNU7zybKVZulNAuGWBEoEP31yqA

Any ideas what I might be wrong?

Regards,
Steve Mansfield

oktadev-blog · October 1, 2020, 3:24am

Paula Parker

Paula.parker3646@gmail.com

oktadev-blog · October 1, 2020, 3:25am

Paula Parker

Copy

oktadev-blog · February 19, 2021, 5:18am

piyush dabhi

techmasalatoday