Exchange Auth Code in a Request for an Access Token

Share this video with your friends

Social Share Links

Send Tweet

We're going to refactor some of our HTTP application code in order to create the ability to exchange the code inside our HTTP request for a token.

We can do this by creating a function that takes the code from a request and posts a query that contains our client id and secret to our token endpoint. We then await a response, parse the data from the response, and then return the parsed data.

Instructor: [0:00] Clean out the content of the post route callback function and convert it to an async function. Create a try-catch block, unlock any errors in the catch block and respond with the error as well.

[0:18] Create a variable to study token which will extract from the exchange code for Token function, which takes the code sent from the client. Log the token to the console for inspection.

[0:32] Create the exchange code for Token function and define the token URL variable which stores the GitHub token endpoint. Define an OAuth query params object that stores the body of the request that the token endpoint needs. The grant type tells the OAuth server that what we have is a code that it had issued us earlier.

[0:59] Set the redirect URL to the client redirect URL. It must match the redirect URL that is set up when creating the OAuth app. Go ahead and import the config object.

[1:14] Set the client ID. Set the client secret. A client ID can be public, but the client secret must never be public. This is why we are not making a request to the token endpoint from the client, because a token endpoint requires the secret before it can issue an access token.

[1:37] Set the code to the code you received from the request. Use fetch to make a request to the token endpoint. Now import node-fetch and then set the URL to the token URL variable.

[1:53] Set the body as the JSON stringified value of the OAuth query params object. The method should be paused and set a content type header to application/JSON. The response is URL encoded, so handle it like a text.

[2:12] Then, use the QS library to parse the values into a JavaScript object. Go ahead and import the QS library and then return the access token stored in the parsed data.

[2:26] Go to the browser and click the authorize link, then head back to the terminal and the token will be logged there.