Page Contents
@loopback/example-passport-login
A tutorial for implementing authentication in LoopBack 4 using passport modules.
Overview
This example demonstrates how to use the LoopBack 4 features (like
@authenticate decorator, strategy providers, etc) with
passport strategies. It includes the OAuth2 strategies
to interact with external OAuth providers like Facebook, Google, etc as well as
local and basic strategies.
You can use this example to see how to,
- Log in or Sign up into a LoopBack App using passport strategy modules
- Log in via external apps like Facebook or link those external profiles with a LoopBack user (for example, a LoopBack user can have associated Facebook/Google accounts to retrieve pictures).
- Use basic or local passport strategy modules
Prerequisites
Before starting this tutorial, make sure you have Client-ids/Secrets from third party apps
Authentication using passport strategies as Express middleware
Take a look at how to use passport strategies as Express middleware using interceptors
Authentication using passport strategies as a step in Application Sequence
Take a look at how to use passport strategies by invoking independent of Express
Install the example locally
-
Run the
lb4 examplecommand to installexample-passport-loginrepository:lb4 example passport-login -
change into directory and then install the required dependencies:
cd loopback4-example-passport-login && npm i
Run the application
By default the user data is stored using a memory connector and saved locally to
data/db.json
Start the application with
$ npm start
To use Google, Facebook or Twitter logins, you’ll need:
- Copy
oauth2-providers.template.jsonfrom this example project’s root tooauth2-providers.json. - Update Google/Facebook/Twitter configuration in the json file.
- Set
OAUTH_PROVIDERS_LOCATIONenvironment variable to../oauth2-providers.json.
Test the login scenarios
Open browser to http://localhost:3000
Scenario 1 : Sign up as a local user
- Click on
Sign Upfrom the header menu and register as a local user. - If the email provided during registration, matches with your account in Facebook or Google you can link those profiles with your local account.
- Click on
Loginfrom the header menu and enter registered email id and password. TheView accountpage loads with user information.
Scenario 2 : Link external profiles with a local user
- Click on
Loginfrom the header menu, You will see various buttons underOther login options. - When you click on any login option, the page is redirected to that social
app’s login page. On successful login with the social app, the
View accountpage is loaded. - If the email-id registered in the social media app matches with a email-id
registered locally, then the profiles will be linked and the
View accountpage will display all thelinked accountsfor that locally registered user. - Click on Logout to log out of user session
Scenario 3 : Sign up via an external Social Media app
- Click on
Loginfrom the header menu, You will see various buttons underOther login options. - When you click on any login option, the page is redirected to that social
app’s login page. On successful login with the social app, the
View accountpage is loaded. - If the email-id registered in the social media app does not match any
email-ids registered locally, then a new user is signed up.
View accountpage will display the external profile used to login under thelinked accountssection. - Click on Logout to log out of user session
Try it out with Facebook
Create a test app and test user in Facebook
- Login to Facebook developer console: https://developers.facebook.com/apps
- Click on
My Appstab in the dashboard menu, and then selectAdd a new App - This loads the
App creationpage. Pick the platform asWebsiteand then enter app category, app name and “Site URL” (Skip the quick start) - Click
Settingstab from the left hand side navigation menu, note the “App ID” and “App Secret” and save - Click the
Rolestab from the left hand side navigation menu, then theTest userslink under it, to display a list of test users. You can also create a new test user. - On any listed test user, click the edit button to open an actions menu ->
click
Change permissions granted by this test userand add [email,manage_pages] scopes to permissions
- NOTE:
- Your app may not work if the settings are missing a contact email and/or “Site URL”.
- if you are testing locally, you can simply use
localhost:[port#]as your “Site URL”.
Create oauth2-providers.json
- Copy
oauth2-providers.template.jsonfrom this example project’s root tooauth2-providers.json -
Update Facebook oauth2 config with the values for
clientID/clientSecretfrom your test app."facebook-login": { "provider": "facebook", "module": "passport-facebook", "clientID": "xxxxxxxxxxxxxxx", "clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "callbackURL": "/auth/facebook/callback", "authPath": "/auth/facebook", "callbackPath": "/auth/facebook/callback", "successRedirect": "/auth/account", "failureRedirect": "/login", "scope": ["email"], "failureFlash": true, "profileFields": ["gender", "link", "locale", "name", "timezone", "verified", "email", "updated_time"] }
The profileFields field above tells Facebook details to return in profile data
after authentication. For more information regarding the providers template, see
http://loopback.io/doc/en/lb2/Configuring-providers.json.html.
Log in with Facebook
- Open your browser to the example app with
http://localhost:3000 - Click
Log Infrom the example app header menu - Click on
Log In with Facebookbutton - FaceBook login page opens, enter test user-id and password
- example app loads again on successful login
- redirect to example app will fail if Facebook did not return profile with email-id
Try it out with Google
Create test credentials in Google
- Login to Google developer console: https://console.developers.google.com You may have to create a sample project if you are new to Google developer console
- Click on
OAuth consent screenfrom the left hand side navigation menu, selectExternal, clickCreatebutton - This loads the
Applicationpage to register your app. Enter app name and check if scopes hasemailpermission - Click on
Credentialslink in the left hand side navigation menu - Then click
Create Credentialstab, and selectOAuth Client ID - This loads the
Create Client IDpage. Select application type asweb application, enter name and clickCreatebutton - A pop up loads with the created credentials. Note the displayed “Client ID” and “Client Secret” and save
Create oauth2-providers.json
- Copy
oauth2-providers.template.jsonfrom this example project’s root tooauth2-providers.json -
Update Google oauth2 config with the values for
clientID/clientSecretfrom your Google test app."google-login": { "provider": "google", "module": "passport-google-oauth2", "strategy": "OAuth2Strategy", "clientID": "{google-client-id}", "clientSecret": "{google-client-secret}", "callbackURL": "/api/auth/thirdparty/google/callback", "authPath": "/api/auth/thirdparty/google", "callbackPath": "/api/auth/thirdparty/google/callback", "successRedirect": "/auth/account", "failureRedirect": "/login", "scope": ["email", "profile"], "failureFlash": true }
Log in with Google
- Open your browser to the example app with,
http://localhost:3000 - Click on
Log Infrom the example app header menu - Click on
Log In with Googlebutton - Google login page opens, enter Google user-id and password
- example app loads again on successful login
Try it out with Twitter
Create a test app and test user in Twitter
- Login to Twitter developer page: https://developer.twitter.com/apps
- Click on
Create an appto create a new app. - In the
App detailspage, fill thecallback URLfield withhttp://localhost:3000/api/auth/thirdparty/twitter/callback. - In the same page, you also need to fill in the
Terms of Service URLandPrivacy policy URL. This is needed since we will need to request users for email address in thePermissionssettings. - In the
Keys and tokenstab, no changes are needed. You will see theConsumer API keyssection which has the API key and secret. These values will be used in the LoopBack application. - In the
Permissionstab, underadditional permissionssection, selectRequest email address. Make sure you have the term of service and privacy policy urls information filled in in theAdd detailstab, otherwise theRequest email addresswill be disabled for you.
- NOTE:
- If you change the permission settings after the app is being created, you
might need to regenerate the tokens again by going to the
Keys and tokenstab for regeneration. - For details in getting email address from the login profile, see
this discussion in
passport-twitterrepo. - The passport-twitter strategy used in this example is using OAuth 1.0a API.
- If you change the permission settings after the app is being created, you
might need to regenerate the tokens again by going to the
Create oauth2-providers.json
- Copy
oauth2-providers.template.jsonfrom this example project’s root tooauth2-providers.json -
Update Twitter oauth config with the values for
consumerKey/consumerSecretfrom your test app."twitter-login": { "provider": "twitter", "module": "passport-twitter", "strategy": "OAuth2Strategy", "consumerKey": "xxxxxxxxxxxxxx", "consumerSecret": "xxxxxxxxxxxxxxx", "callbackURL": "/api/auth/thirdparty/twitter/callback?source=twitter", "authPath": "/api/auth/thirdparty/twitter", "callbackPath": "/api/auth/thirdparty/twitter/callback", "successRedirect": "/auth/account", "failureRedirect": "/login", "includeEmail": true, "scope": ["email", "profile"], "failureFlash": true },
Log in with Twitter
- Open your browser to the example app with
http://localhost:3000 - Click
Log Infrom the example app header menu - Click on
Log In with Twitterbutton - You’ll be asked to authorize the Twitter app to access your account. Click
Authorize app. - Example app loads again on successful login
- Redirect to example app will fail if Twitter did not return profile with email-id