DEV Community


Discussion on: Best practices to authenticate with Passport.js

brandinchiu profile image
Brandin Chiu

Passport is used to help simplify the implementation of OAuth 2.0 providers.

OAuth is an authentication standard used all around the world to help make development easier for us, and the process familiar for users.

In this context, our accessToken is designed to be an authenticated session identifier for a particular person. For security, sometimes access tokens expire. In cases when you need to generate a new one, but don't want to force a user to have to enter their credentials again, you would make a request using the refreshToken to generate a new accessToken.

OAuth can be complex, but the most common implementation looks like this:

  • user clicks "login with x" link
  • user is redirected to a web form hosted by the service x
  • user enters credentials and submits
  • service x's web form redirects to a page controlled by you with a temporary code for you to use.
  • you submit the temporary code, and other security credentials (client ID and client secret, typically) through a backend API request with service x
  • service x gives you an accessToken, and optionally, a refreshToken if needed.
  • you persist the above tokens in your system so your user remains "logged in".

Regardless of what service x is, if they are implementing OAuth 2.0, they are will be more or less following the above process. Passport simplifies these steps by making you not have to do this by hand for every provider you want to support, since they will function more or less the same way.