Chapter 4. Building a simple OAuth protected resource


This chapter covers

  • Parsing an incoming HTTP request for OAuth tokens
  • Responding to token errors
  • Serving requests differently based on scopes
  • Serving requests differently based on the resource owner

Now that we’ve got a working OAuth client, it’s time to create a protected resource for the client to call with those access tokens. In this chapter, we’ll be building a simple resource server that our client can call and our authorization server can protect. We’ll be giving you a fully functional client and authorization server for each exercise, all designed to work together.


All of the exercises and examples in this book are built using Node.js and JavaScript. Each exercise consists of several components designed to run on a single system accessible from localhost on various ports. For more information about the framework and its structure, see appendix A.

4.1. Parsing the OAuth token from the HTTP request

4.2. Validating the token against our data store

4.3. Serving content based on the token

4.4. Summary