What Is OAuth 2.0?

OAuth 2.0 is an authorization standard. It allows apps to access user resources without exposing passwords.

Key Terms

Resource Owner = The user
Client         = Your application
Authorization Server = Issues tokens (Google, Facebook)
Resource Server = The API protecting resources
Access Token   = Key to access resources

Authorization Code Flow

// 1. Redirect user to authorization
const authUrl = `https://auth.example.com/authorize?
  client_id=${CLIENT_ID}&
  redirect_uri=${REDIRECT_URI}&
  response_type=code&
  scope=read:profile`;

// 2. Exchange code for token
const response = await fetch('https://auth.example.com/token', {
  method: 'POST',
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authCode,
    client_id: CLIENT_ID,
    client_secret: CLIENT_SECRET,
  })
});
const { access_token } = await response.json();

Using Passport.js

const passport = require('passport');
const GoogleStrategy = require('passport-google-oauth20');

passport.use(new GoogleStrategy({
  clientID: GOOGLE_CLIENT_ID,
  clientSecret: GOOGLE_CLIENT_SECRET,
  callbackURL: '/auth/google/callback'
}, (accessToken, refreshToken, profile, done) => {
  return done(null, profile);
}));

Conclusion

OAuth 2.0 is the industry standard for secure authorization. Passport.js simplifies integration with multiple providers.