2022-03-23
2683
#node
Diogo Souza
18542
Mar 23, 2022 â‹… 9 min read

How to implement OAuth 2.0 in Node.js

Diogo Souza Brazilian dev. Creator of altaluna.com.br

Recent posts:

Gemini CLI tutorial — Will it replace Windsurf and Cursor?

Gemini CLI tutorial — Will it replace Windsurf and Cursor?

Discover how to use Gemini CLI, Google’s new open-source AI agent that brings Gemini directly to your terminal.

Chizaram Ken
Jul 10, 2025 â‹… 8 min read
React & TypeScript: 10 Patterns For Writing Better Code

React & TypeScript: 10 patterns for writing better code

This article explores several proven patterns for writing safer, cleaner, and more readable code in React and TypeScript.

Peter Aideloje
Jul 10, 2025 â‹… 11 min read
A Guide To Wrapper Vs. Container Classes In CSS

A guide to wrapper vs. container classes in CSS

A breakdown of the wrapper and container CSS classes, how they’re used in real-world code, and when it makes sense to use one over the other.

Temitope Oyedele
Jul 7, 2025 â‹… 10 min read
Stagehand and Gemini logos on a gradient background symbolizing AI web automation

How to build a web-based AI agent with Stagehand and Gemini

This guide walks you through creating a web UI for an AI agent that browses, clicks, and extracts info from websites powered by Stagehand and Gemini.

Elijah Asaolu
Jul 4, 2025 â‹… 8 min read
View all posts

12 Replies to "How to implement OAuth 2.0 in Node.js"

  1. HI , I getting “OAuth2Error: User credentials are invalid” . I am sure that both user name and password correct

  2. I hope it can help somebody, to test http://localhost:3000/test/hello you must use postman 7.36.1 and the code to test it is
    curl –location –request POST ‘http://localhost:3000/test/hello’ \
    –header ‘Authorization: Bearer 9bc8aefc932074166cada3cb1234705824e6e6ad’

    put token that you get in the previous step.

  3. This is a string injection security vulnerability:

    ___________
    function getUserIDFromBearerToken(bearerToken, cbFunc) {
    const getUserIDQuery = `SELECT * FROM access_tokens WHERE access_token = ‘${bearerToken}’;`;
    ___________

    Don’t use this code. Parameterized SQL queries are the reliable way to escape a string.

  4. Hey!

    Thank you for your effort and time writing this post. However, the post is a kind of bad example of OAuth 2.0 protocol that we find on the web. We should notice that OAuth 2.0 is an authorization protocol, not an authentication one, although many developers try to use it for that purpose.

    You can find the spec here: https://oauth.net/2/. Some useful links to visit:

    * https://dev.to/kimmaida/authorization-and-authentication-for-everyone-27j3
    * https://newbedev.com/why-is-it-a-bad-idea-to-use-plain-oauth2-for-authentication
    * https://auth0.com/docs/authorization/protocols/protocol-oauth2
    * https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
    * https://dev.to/bam92/oauth-2-spec-is-misunderstood-why-14jd

    1. The effort you did to create this content is considerable but it’s really important to take note of this:

      “This implements the password credential grant. The error should be JSON as well (currently HTML). Please note, that the password credential grant is not the recommended way to do OAuth – consider using the authorization code grant.”

  5. I tried to rewrite for MySQL. I reated user successfully but I had not had any success with the “/login” route:
    OAuth2Error: User credentials are invalid
    at OAuth2Error (d:\web-work\oa2\logrocket-oauth2-example\node_modules\node-oauth2-server\lib\error.js:30:12)
    at d:\web-work\oa2\logrocket-oauth2-example\node_modules\node-oauth2-server\lib\grant.js:228:19
    at d:\web-work\oa2\logrocket-oauth2-example\db\userDB.js:29:9
    at Query.onResult (d:\web-work\oa2\logrocket-oauth2-example\db\pgWrapper.js:37:9)
    at d:\web-work\oa2\logrocket-oauth2-example\node_modules\mysql2\lib\commands\query.js:86:16
    at processTicksAndRejections (node:internal/process/task_queues:78:11)

  6. OAuth2Error: Method must be POST with application/x-www-form-urlencoded encoding
    I want to send payload as Content-Type: application/json

Leave a Reply