Using Passport for OAuth with

Passport is a great Node.js middleware module for handling OAuth strategies with Express or Connect based applications. It maintains a basic concept of building out strategies which makes it easy for providers to add new strategies, as well as a small footprint of code for developers to utilize the strategy.  One of the great things about interacting with the platform is that by leveraging open technologies like OAuth2 and REST – you can choose the tools that you like to get the job done.

While tinkering with Passport, my only real problem was that there wasn’t a handy strategy for easily integrating it. With the help of with Jared Hanson, creator of Passport, this is no longer an issue.

To kick things off, install passport and the strategy:

npm install passport
npm install passport-forcedotcom

Now we need to declare the strategy:

var passport = require('passport')
  , ForceDotComStrategy = require('passport-forcedotcom').Strategy;

//define passport usage
passport.use(new ForceDotComStrategy({
    clientID: '{YOURCONSUMERKEY}',
    clientSecret: '{YOURPRIVATEKEY}',
    callbackURL: ''+port+'/token'
  function(token, tokenSecret, profile, done) {
    return done(null, profile);

Now we can use passport as middleware to create endpoints for logging and handling the token callback:

app.get('/login', passport.authenticate('forcedotcom'));
  passport.authenticate('forcedotcom', { failureRedirect: '/error' }),
  function(req, res){
    req.session["forcedotcom"] = req.session["passport"]["user"];

Passport also allows you to handle some user functionality in the following callback (such as database calls):

//define REST proxy options based on logged in user
passport.serializeUser(function(user, done) {
  done(null, user);

passport.deserializeUser(function(obj, done) {
  done(null, obj);

Though I’ve been currently relying on just session information. Now, one of the key differences between how handles OAuth and many other providers is that you need key pieces of information like the instance url in order to properly communicate with the platform.  In this instance, I’m adding that entire block of data into the forcedotcom session variable, so that I can pull specific things back out.  Here’s an example of using it to create a REST callout with a simple HTTP proxy I tossed together called lazyproxy:

  function(req, res) {

    if(req.session["forcedotcom"] && req.params.label == "fdc") {
      var restOptions = {
        useHTTPS : true,
        host : req.session["forcedotcom"].instance_url.replace('https://',''),
        headers: {
            'Authorization': 'OAuth '+req.session["forcedotcom"].access_token,


Basically there I’m just detecting that a URL with “fdc” is being called, and redirecting the request over to  As you can see, Passport makes it easy to handle authentication with the platform, and also flexible since if you need to add different strategies like Facebook – it’s as simple as you see above.  If you want to see a more complete example, I’ve got one semi-working over at github, but I don’t have the Twitter loop working quite yet.  However, in the spirit of social coding – always willing to accept merge requests…

Leave your comments...

Using Passport for OAuth with