Secure a Node API with OAuth 2.0 Client Credentials

oktadev-blog · June 6, 2018, 4:55pm

This article shows how to secure a Node API with an OAuth 2.0 client credentials flow.

oktadev-blog · February 8, 2019, 8:09pm

Stephen Mansfield

Hello,

Having trouble with getting the second part of this tutorial working. Specifically the section “Test your Secure API”,

require(‘dotenv’).config() const request = require(‘request-promise’) const btoa = require(‘btoa’) const { ISSUER, TEST_CLIENT_ID, TEST_CLIENT_SECRET, DEFAULT_SCOPE } = process.env const test = async () => { const token = btoa(${TEST_CLIENT_ID}:${TEST_CLIENT_SECRET}) try { const { token_type, access_token } = await request({ uri: ${ISSUER}/v1/token, json: true, method: ‘POST’, headers: { authorization: Basic ${token}, }, form: { grant_type: ‘client_credentials’, scope: DEFAULT_SCOPE, }, }) const response = await request({ uri: ‘http://localhost:3000’, json: true, headers: { authorization: [token_type, access_token].join(’ ‘), }, }) console.log(response) } catch (error) { console.log(Error: ${error.message}) } } test()

When I execute the test.js I get a “TEST_ERROR: Error: Parse Error”. I am getting the correct token_type and access_token from Okta. When the second “request” is executed I get the error “TEST_Error: Error: Parse Error”. Below is the section of code that is failing.

const response = await request({ uri: ‘http://localhost:3000’, json: true, headers: { authorization: [token_type, access_token].join(’ '), }, })

It looks like its not liking the authorization header. The token_type and access_token look correct

authorization: Bearer eyJraWQiOiJoai1TdEl6eDlaUmRoaFpNeUlCalpRSkg2N3lsYkRCcmdJZ191ZkpycVZBIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnVPZHVaTHJ5YlM1dkszQkljVU5NSE00eThXcjQwUjFmMDZkSzdqLVIySHMiLCJpc3MiOiJodHRwczovL2phYmlsc2ttLm9rdGEuY29tL29hdXRoMi9hdXNhYzZ6NThoZmFyVTQzUzM1NiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImlhdCI6MTU0OTY1MTgwMywiZXhwIjoxNTQ5NzM4MjAzLCJjaWQiOiIwb2FhY2FxNzZqQjFWNjBMODM1NiIsInNjcCI6WyJzdWNoX3Njb3BlIl0sInN1YiI6IjBvYWFjYXE3NmpCMVY2MEw4MzU2In0.dCEsxinqWL2du88KdVFBCCSBuzkyL7JzdDjCKM1wBcWqUtpl8riLFtDzTXzokjS8sucuPmEv7iWTK3pEOzfkk0w6tV8bcjNV1tapdzlU-2jp6JhByEu39Fd_F8BpHkBGQVLoA15XsUZv2e7X2eQNzI66LiPHbCzb8o13PVVPLJumyMcpgbX2uWFFW_iPXvIqszzr1RSyj_ZDGISA1oCEJAuVLoCnuNwKe8gE3W7KQqKdI8kNIXQB5V0Hwhb-hWWxNfqD33wt5icd_HtFJog6PHNH6MpD0Xuzzr9vpS0zwSwTUVjZno-WwbYmDIQrNU7zybKVZulNAuGWBEoEP31yqA

Any ideas what I might be wrong?

Regards,
Steve Mansfield

oktadev-blog · October 1, 2020, 3:24am

Paula Parker

Paula.parker3646@gmail.com

oktadev-blog · October 1, 2020, 3:25am

Paula Parker

Copy

oktadev-blog · February 19, 2021, 5:18am

piyush dabhi

techmasalatoday

Post		Replies	Views
Secure Server-to-Server Communication with Spring Boot and OAuth 2.0 Developer Blog Comments	61	6808	April 22, 2021
How to Secure Your .NET Web API with Token Authentication Developer Blog Comments	45	5343	February 16, 2022
How to Use Client Credentials Flow with Spring Security Developer Blog Comments	42	11686	March 13, 2023
Create and Verify JWTs in PHP with OAuth 2.0 Developer Blog Comments	11	3081	September 14, 2021
OAuth 2.0 for Native and Mobile Apps Developer Blog Comments	4	2746	September 20, 2024

Secure a Node API with OAuth 2.0 Client Credentials

Related topics