Chapter 5. Building a simple OAuth authorization server


This chapter covers

  • Managing registered OAuth clients
  • Having a user authorize a client
  • Issuing a token to an authorized client
  • Issuing and responding to a refresh token

In the last two chapters, we built an OAuth client application that fetched a token from an authorization server and used that token at a protected resource, and we built the protected resource for the client to access. In this chapter, we’ll build a simple authorization server that supports the authorization code grant type. This component manages clients, performs the delegation action core to OAuth, and issues tokens to clients.


All of the exercises and examples in this book are built using Node.js and JavaScript. Each exercise consists of several components designed to run on a single system accessible from localhost on various ports. For more information about the framework and its structure, see appendix A.

5.1. Managing OAuth client registrations

5.2. Authorizing a client

5.3. Issuing a token

5.4. Adding refresh token support

5.5. Adding scope support

5.6. Summary