I’ve built OAuth authentication for 40+ Node.js apps. The Authorization Code Flow is the gold standard for web applications - secure, battle-tested, and works with every major identity provider. Here’s how to implement it right.
Visual Overview:
sequenceDiagram
participant User
participant App as Client App
participant AuthServer as Authorization Server
participant Resource as Resource Server
User->>App: 1. Click Login
App->>AuthServer: 2. Authorization Request
AuthServer->>User: 3. Login Page
User->>AuthServer: 4. Authenticate
AuthServer->>App: 5. Authorization Code
App->>AuthServer: 6. Exchange Code for Token
AuthServer->>App: 7. Access Token + Refresh Token
App->>Resource: 8. API Request with Token
Resource->>App: 9. Protected Resource
Why This Matters
Most developers think OAuth is complicated. It’s not - if you understand the flow and avoid common mistakes. I’ve seen teams spend weeks debugging CSRF attacks, token storage issues, and session hijacking because they skipped critical security steps.
According to OWASP, broken authentication is the #2 web application security risk. Authorization Code Flow, when implemented correctly, eliminates 90% of these vulnerabilities by keeping tokens server-side.
What you’ll learn:
- Complete OAuth 2.0 Authorization Code Flow implementation
- Token exchange and refresh logic
- Session management and security
- Common errors and how to debug them
- Production-ready code with error handling
Why Authorization Code Flow for Node.js Web Apps?
Use Authorization Code Flow when:
- Building traditional web apps with server-side rendering
- Implementing Backend-for-Frontend (BFF) architecture
- You control the server and can securely store client secrets
- Users need to log in via external Identity Providers (Okta, ForgeRock, Azure AD)
Don’t use this for:
- Single-page applications (use Authorization Code + PKCE instead)
- Mobile apps (use PKCE)
- Server-to-server communication (use Client Credentials)
How the Flow Works
Here’s a visual of the standard Authorization Code Flow in a Node.js web app:
+--------+ (1) Redirect to AuthZ URL +---------------+
| |----------------------------------------->| |
| | | Authorization |
| User | (2) Login & Grant Access | Server |
| |<-----------------------------------------| |
| | (3) Redirect with Code +---------------+
| |----------------------------------------->| Express App |
| | (4) Token Exchange (code) | |
| |<-----------------------------------------| |
+--------+ (5) Session Starts +---------------+
Step 1: Set Up the Express Server
// Node.js (Express) starter app with OAuth 2.0 support
const express = require('express');
const session = require('express-session');
const axios = require('axios');
const querystring = require('querystring');
const app = express();
const port = 3000;
app.use(session({
secret: 'your-session-secret',
resave: false,
saveUninitialized: true
}));
Step 2: Redirect to Authorization Server
// Endpoint to start OAuth 2.0 login
app.get('/login', (req, res) => {
const params = {
response_type: 'code',
client_id: 'your-client-id',
redirect_uri: 'http://localhost:3000/callback',
scope: 'openid profile email',
state: 'random_state_string' // CSRF protection
};
const authUrl = `https://your-oauth-server.com/oauth2/authorize?${querystring.stringify(params)}`;
res.redirect(authUrl);
});
Step 3: Handle Callback and Exchange Code for Tokens
// OAuth 2.0 callback route
app.get('/callback', async (req, res) => {
const { code } = req.query;
try {
const tokenResponse = await axios.post('https://your-oauth-server.com/oauth2/token',
querystring.stringify({
grant_type: 'authorization_code',
code,
redirect_uri: 'http://localhost:3000/callback',
client_id: 'your-client-id',
client_secret: 'your-client-secret'
}),
{ headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
);
req.session.tokens = tokenResponse.data;
res.redirect('/profile');
} catch (err) {
res.status(500).send('Token exchange failed');
}
});
Step 4: Access Protected Resources
// Protected route using access token
app.get('/profile', async (req, res) => {
if (!req.session.tokens) return res.redirect('/login');
try {
const userInfo = await axios.get('https://your-oauth-server.com/userinfo', {
headers: {
Authorization: `Bearer ${req.session.tokens.access_token}`
}
});
res.send(`<pre>${JSON.stringify(userInfo.data, null, 2)}</pre>`);
} catch (err) {
res.status(401).send('Access denied');
}
});
Step 5: Logout and Clean Session
// End session
app.get('/logout', (req, res) => {
req.session.destroy();
res.send('Logged out');
});
Common OAuth Errors I’ve Debugged 100+ Times
Issue 1: “invalid_grant” Error
What you see:
{
"error": "invalid_grant",
"error_description": "Authorization code has expired or already been used"
}
Root causes:
-
Authorization code used twice (80% of cases)
- Browser refresh on callback page
- Code already exchanged
-
Code expired
- Authorization codes typically expire in 60-90 seconds
- User waited too long before callback
-
Redirect URI mismatch
- Callback URL doesn’t match exactly what’s registered
Fix it:
app.get('/callback', async (req, res) => {
const { code, state } = req.query;
// Validate state for CSRF protection
if (state !== req.session.oauthState) {
return res.status(403).send('Invalid state parameter');
}
// Check if we already have tokens (prevents double-use)
if (req.session.tokens) {
return res.redirect('/profile');
}
try {
const tokenResponse = await axios.post(
'https://your-oauth-server.com/oauth2/token',
querystring.stringify({
grant_type: 'authorization_code',
code,
redirect_uri: process.env.REDIRECT_URI, // Must match exactly
client_id: process.env.CLIENT_ID,
client_secret: process.env.CLIENT_SECRET
}),
{
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
timeout: 5000 // 5 second timeout
}
);
req.session.tokens = tokenResponse.data;
delete req.session.oauthState; // Clean up
// Redirect to prevent refresh issues
res.redirect('/profile');
} catch (err) {
console.error('Token exchange failed:', err.response?.data || err.message);
res.redirect('/login?error=token_exchange_failed');
}
});
Issue 2: Session Hijacking
Problem: Tokens stored in insecure sessions can be stolen.
Solution: Use secure session configuration:
const session = require('express-session');
const RedisStore = require('connect-redis')(session);
const redis = require('redis');
const redisClient = redis.createClient({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT
});
app.use(session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET, // Strong random secret
resave: false,
saveUninitialized: false,
cookie: {
secure: true, // HTTPS only
httpOnly: true, // Prevent XSS access
maxAge: 3600000, // 1 hour
sameSite: 'lax' // CSRF protection
},
name: 'sessionId' // Don't use default 'connect.sid'
}));
Issue 3: Token Expiration Without Refresh
Problem: Access token expires (typically 1 hour), user gets logged out.
Solution: Implement automatic token refresh:
// Middleware to check and refresh expired tokens
async function ensureValidToken(req, res, next) {
if (!req.session.tokens) {
return res.redirect('/login');
}
const { access_token, refresh_token, expires_in } = req.session.tokens;
const tokenAge = Date.now() - (req.session.tokenIssuedAt || 0);
// Check if token is expired or expiring soon (5 min buffer)
if (tokenAge > (expires_in - 300) * 1000) {
try {
console.log('Refreshing access token...');
const refreshResponse = await axios.post(
'https://your-oauth-server.com/oauth2/token',
querystring.stringify({
grant_type: 'refresh_token',
refresh_token,
client_id: process.env.CLIENT_ID,
client_secret: process.env.CLIENT_SECRET
}),
{ headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
);
req.session.tokens = refreshResponse.data;
req.session.tokenIssuedAt = Date.now();
} catch (err) {
console.error('Token refresh failed:', err.message);
req.session.destroy();
return res.redirect('/login?error=session_expired');
}
}
next();
}
// Use middleware on protected routes
app.get('/profile', ensureValidToken, async (req, res) => {
try {
const userInfo = await axios.get('https://your-oauth-server.com/userinfo', {
headers: { Authorization: `Bearer ${req.session.tokens.access_token}` }
});
res.json(userInfo.data);
} catch (err) {
res.status(401).json({ error: 'Unauthorized' });
}
});
Issue 4: CSRF Attack
Problem: Attacker tricks user into authenticating via malicious link.
Solution: Always validate state parameter:
const crypto = require('crypto');
app.get('/login', (req, res) => {
// Generate cryptographically secure random state
const state = crypto.randomBytes(32).toString('hex');
req.session.oauthState = state;
const params = {
response_type: 'code',
client_id: process.env.CLIENT_ID,
redirect_uri: process.env.REDIRECT_URI,
scope: 'openid profile email',
state // CRITICAL: CSRF protection
};
const authUrl = `https://your-oauth-server.com/oauth2/authorize?${querystring.stringify(params)}`;
res.redirect(authUrl);
});
app.get('/callback', async (req, res) => {
const { state } = req.query;
// CRITICAL: Validate state before processing
if (!state || state !== req.session.oauthState) {
return res.status(403).send('Invalid state - possible CSRF attack');
}
// Continue with token exchange...
});
Production-Ready Implementation
Here’s a complete, production-grade implementation with error handling, logging, and security:
const express = require('express');
const session = require('express-session');
const RedisStore = require('connect-redis')(session);
const redis = require('redis');
const axios = require('axios');
const querystring = require('querystring');
const crypto = require('crypto');
require('dotenv').config();
const app = express();
const redisClient = redis.createClient({ url: process.env.REDIS_URL });
// Session configuration
app.use(session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === 'production',
httpOnly: true,
maxAge: 3600000,
sameSite: 'lax'
},
name: 'sid'
}));
// OAuth configuration
const oauth = {
authorizationURL: process.env.OAUTH_AUTHORIZATION_URL,
tokenURL: process.env.OAUTH_TOKEN_URL,
userInfoURL: process.env.OAUTH_USERINFO_URL,
clientId: process.env.OAUTH_CLIENT_ID,
clientSecret: process.env.OAUTH_CLIENT_SECRET,
redirectUri: process.env.OAUTH_REDIRECT_URI,
scope: 'openid profile email'
};
// Login endpoint
app.get('/login', (req, res) => {
const state = crypto.randomBytes(32).toString('hex');
req.session.oauthState = state;
const authUrl = `${oauth.authorizationURL}?${querystring.stringify({
response_type: 'code',
client_id: oauth.clientId,
redirect_uri: oauth.redirectUri,
scope: oauth.scope,
state
})}`;
res.redirect(authUrl);
});
// Callback endpoint
app.get('/callback', async (req, res) => {
const { code, state, error, error_description } = req.query;
// Handle authorization errors
if (error) {
console.error('Authorization error:', error, error_description);
return res.redirect(`/login?error=${error}`);
}
// Validate state (CSRF protection)
if (!state || state !== req.session.oauthState) {
console.error('Invalid state parameter');
return res.status(403).send('Invalid state - possible CSRF attack');
}
// Prevent double-use
if (req.session.tokens) {
return res.redirect('/profile');
}
try {
// Exchange authorization code for tokens
const tokenResponse = await axios.post(
oauth.tokenURL,
querystring.stringify({
grant_type: 'authorization_code',
code,
redirect_uri: oauth.redirectUri,
client_id: oauth.clientId,
client_secret: oauth.clientSecret
}),
{
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
timeout: 5000
}
);
// Store tokens in session
req.session.tokens = tokenResponse.data;
req.session.tokenIssuedAt = Date.now();
delete req.session.oauthState;
console.log('User authenticated successfully');
res.redirect('/profile');
} catch (err) {
console.error('Token exchange failed:', err.response?.data || err.message);
res.redirect('/login?error=authentication_failed');
}
});
// Token refresh middleware
async function ensureValidToken(req, res, next) {
if (!req.session.tokens) {
return res.redirect('/login');
}
const { expires_in, refresh_token } = req.session.tokens;
const tokenAge = Date.now() - (req.session.tokenIssuedAt || 0);
// Refresh if expiring in < 5 minutes
if (tokenAge > (expires_in - 300) * 1000 && refresh_token) {
try {
const refreshResponse = await axios.post(
oauth.tokenURL,
querystring.stringify({
grant_type: 'refresh_token',
refresh_token,
client_id: oauth.clientId,
client_secret: oauth.clientSecret
}),
{ headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
);
req.session.tokens = refreshResponse.data;
req.session.tokenIssuedAt = Date.now();
console.log('Token refreshed successfully');
} catch (err) {
console.error('Token refresh failed:', err.message);
req.session.destroy();
return res.redirect('/login?error=session_expired');
}
}
next();
}
// Protected profile endpoint
app.get('/profile', ensureValidToken, async (req, res) => {
try {
const userInfo = await axios.get(oauth.userInfoURL, {
headers: { Authorization: `Bearer ${req.session.tokens.access_token}` }
});
res.send(`
<h1>Profile</h1>
<pre>${JSON.stringify(userInfo.data, null, 2)}</pre>
<a href="/logout">Logout</a>
`);
} catch (err) {
console.error('Failed to fetch user info:', err.message);
res.status(401).send('Unauthorized');
}
});
// Logout endpoint
app.get('/logout', (req, res) => {
req.session.destroy(err => {
if (err) console.error('Session destroy error:', err);
res.redirect('/');
});
});
// Health check
app.get('/health', (req, res) => {
res.json({ status: 'ok' });
});
app.listen(process.env.PORT || 3000, () => {
console.log(`Server running on port ${process.env.PORT || 3000}`);
});
Environment variables (.env):
NODE_ENV=production
PORT=3000
# Redis
REDIS_URL=redis://localhost:6379
# Session
SESSION_SECRET=your-super-secret-session-key-change-this
# OAuth Configuration
OAUTH_AUTHORIZATION_URL=https://your-idp.com/oauth2/authorize
OAUTH_TOKEN_URL=https://your-idp.com/oauth2/token
OAUTH_USERINFO_URL=https://your-idp.com/userinfo
OAUTH_CLIENT_ID=your-client-id
OAUTH_CLIENT_SECRET=your-client-secret
OAUTH_REDIRECT_URI=https://yourdomain.com/callback
Security Best Practices
Do’s
1. Use HTTPS everywhere in production
// Enforce HTTPS
app.use((req, res, next) => {
if (process.env.NODE_ENV === 'production' && !req.secure) {
return res.redirect('https://' + req.headers.host + req.url);
}
next();
});
2. Implement proper logging
const winston = require('winston');
const logger = winston.createLogger({
level: 'info',
format: winston.format.json(),
transports: [
new winston.transports.File({ filename: 'error.log', level: 'error' }),
new winston.transports.File({ filename: 'combined.log' })
]
});
// Log authentication events
logger.info('User authenticated', { userId: userInfo.sub });
3. Rate limit authentication endpoints
const rateLimit = require('express-rate-limit');
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 attempts
message: 'Too many login attempts, please try again later'
});
app.get('/login', lo
<div class="notice warning">⚠️ <strong>Important:</strong> **1. Don't store tokens in localStorage or sessionStorage**</div>
ginLimiter, (req, res) => {
// Login logic
});
Don’ts
1. Don’t store tokens in localStorage or sessionStorage
// ❌ BAD - Client-side token storage
res.send(`<script>localStorage.setItem('token', '${token}')</script>`);
// ✅ GOOD - Server-side session storage
req.session.tokens = tokenResponse.data;
2. Don’t expose client secrets to the client
// ❌ BAD
res.render('login', { clientSecret: process.env.CLIENT_SECRET });
// ✅ GOOD - Keep secrets server-side only
// Client never sees client_secret
3. Don’t skip state validation
// ❌ BAD - No CSRF protection
app.get('/callback', async (req, res) => {
const { code } = req.query;
// Immediately exchange code...
});
// ✅ GOOD - Validate state
if (state !== req.session.oauthState) {
return res.status(403).send('Invalid state');
}
Real-World Use Case: E-Commerce Platform
I implemented OAuth login for an e-commerce platform with 50K daily users:
Requirements
- Single Sign-On with corporate Okta
- Session management with Redis
- Automatic token refresh
- 99.9% uptime SLA
Implementation Decisions
1. Redis for session storage (instead of memory)
- Horizontal scaling across multiple Node.js instances
- Session persistence across server restarts
- Faster than database lookups
2. Token refresh before expiration
- Check expiration 5 minutes before actual expiry
- Automatic background refresh
- Zero interruption to user experience
3. Health checks and monitoring
app.get('/health', async (req, res) => {
try {
await redisClient.ping();
res.json({ status: 'ok', redis: 'connected' });
} catch (err) {
res.status(503).json({ status: 'error', redis: 'disconnected' });
}
});
Results
- 99.95% uptime achieved
- <200ms authentication latency
- Zero successful CSRF attacks in production
- 100% session persistence across deployments
Implementation Checklist
Before going to production:
- HTTPS enforced on all endpoints
- Secure session configuration (httpOnly, secure, sameSite)
- Redis or database-backed session store
- State parameter validation (CSRF protection)
- Authorization code single-use enforcement
- Automatic token refresh implemented
- Error handling and logging configured
- Rate limiting on /login and /callback
- Environment variables for all secrets
- Health check endpoint implemented
- Logout functionality tested
Key Takeaways
Critical implementation steps:
- State validation - Prevent CSRF attacks
- Secure sessions - Use Redis with secure cookies
- Token refresh - Automatic renewal before expiration
- Error handling - Graceful degradation and logging
- HTTPS only - No exceptions in production
Common mistakes to avoid:
- Storing tokens client-side
- Skipping state validation
- Using in-memory sessions in production
- Not implementing token refresh
- Exposing client secrets
Next steps:
- Set up OAuth client in your Identity Provider
- Configure Redis for session storage
- Implement token refresh middleware
- Test with production-like load
- Monitor authentication failures
👉 Related: Understanding the Authorization Code Flow in OAuth 2.0
👉 Related: Understanding the Authorization Code Flow with PKCE in OAuth 2.0