I would like to ask the community for help to better understand and use Passport.js.
The way I learned to use it, you define a strategy, make a couple of auth routes and persist session on a cookie.
So, for instance, you would create a Google strategy like this:
const passport = require('passport')
const GoogleStrategy = require('passport-google-oauth20').Strategy
passport.use(new GoogleStrategy(
options,
(accessToken, refreshToken, profile, done) => done(null, profile)
))
Then add cookie-session and passport middleware:
app.use(cookieSession(cookieOptions))
app.use(passport.initialize())
app.use(passport.session())
And finally create a log in route and a callback route:
app.get('/google', passport.authenticate('google', scope))
app.get('/google/callback', passport.authenticate('google', options))
But my understanding of Passport.js is very limited and I often wonder if this is even a good idea. For instance, I don't really know what the parameters accessToken
and refreshToken
in the strategy's callback are. I imagine they serve some purpose beyond just existing, but I wouldn't know how to use them.
So I thought I'd ask around and hopefully hear good opinions on the matter.
How do you personally use Passport.js?
What method(s) do you use to persist sessions?
What are the pitfalls/security issues with the approach I outlined above?
What can we use accessToken
and refreshToken
for?
Thanks a lot in advance for your replies^^
Top comments (1)
Passport is used to help simplify the implementation of OAuth 2.0 providers.
OAuth is an authentication standard used all around the world to help make development easier for us, and the process familiar for users.
In this context, our
accessToken
is designed to be an authenticated session identifier for a particular person. For security, sometimes access tokens expire. In cases when you need to generate a new one, but don't want to force a user to have to enter their credentials again, you would make a request using therefreshToken
to generate a newaccessToken
.OAuth can be complex, but the most common implementation looks like this:
accessToken
, and optionally, arefreshToken
if needed.Regardless of what service x is, if they are implementing OAuth 2.0, they are will be more or less following the above process. Passport simplifies these steps by making you not have to do this by hand for every provider you want to support, since they will function more or less the same way.