{"id":15753,"library":"passport-oauth2-client-password","title":"Passport OAuth2 Client Password Strategy","description":"passport-oauth2-client-password is an authentication strategy module designed for the Passport.js middleware framework, specifically implementing the OAuth 2.0 client password grant type. It allows applications to authenticate client credentials (client ID and client secret) when provided in the request body, a common pattern for securing OAuth 2.0 token endpoints. The current stable version is 0.1.2. The package's last publish was 11 years ago, and its GitHub repository shows no recent activity, indicating it is no longer actively maintained. Its primary differentiator lies in providing a focused, simple implementation for this specific OAuth2 authentication mechanism within the Passport ecosystem. However, its age means it likely lacks modern JavaScript features, TypeScript definitions (though `@types/passport-oauth2-client-password` exists), and contemporary security updates. Developers should consider its abandoned status and potential compatibility issues with newer Node.js versions when evaluating its use.","status":"abandoned","version":"0.1.2","language":"javascript","source_language":"en","source_url":"git://github.com/jaredhanson/passport-oauth2-client-password","tags":["javascript","passport","oauth","oauth2","authn","authentication","authz","authorization","api"],"install":[{"cmd":"npm install passport-oauth2-client-password","lang":"bash","label":"npm"},{"cmd":"yarn add passport-oauth2-client-password","lang":"bash","label":"yarn"},{"cmd":"pnpm add passport-oauth2-client-password","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Required for the strategy to function as an authentication middleware. This package integrates with Passport.js, which is a peer dependency by nature for any Passport strategy.","package":"passport","optional":false},{"reason":"This is a direct dependency listed in the package.json, providing the base Strategy class from which this strategy extends.","package":"passport-strategy","optional":false}],"imports":[{"note":"This module directly exports the Strategy constructor. Given its age (last published 2013), ESM imports are not supported and will lead to errors in Node.js environments.","wrong":"import ClientPasswordStrategy from 'passport-oauth2-client-password';","symbol":"ClientPasswordStrategy","correct":"const ClientPasswordStrategy = require('passport-oauth2-client-password');"},{"note":"The module's default export *is* the Strategy constructor itself, not an object containing a named export 'Strategy'. Attempting to destructure it will result in `undefined`.","wrong":"const { Strategy } = require('passport-oauth2-client-password');","symbol":"Strategy (named destructure)","correct":"const Strategy = require('passport-oauth2-client-password');"},{"note":"While the core package does not ship with types, `@types/passport-oauth2-client-password` provides definitions. It typically exports `Strategy` which can be aliased.","wrong":"import type { ClientPasswordStrategy } from 'passport-oauth2-client-password';","symbol":"ClientPasswordStrategy (Type)","correct":"import type { Strategy as ClientPasswordStrategy } from 'passport-oauth2-client-password';"}],"quickstart":{"code":"const express = require('express');\nconst passport = require('passport');\nconst ClientPasswordStrategy = require('passport-oauth2-client-password');\n\nconst app = express();\nconst port = 3000;\n\n// Middleware to parse request body (e.g., for client_id and client_secret)\napp.use(express.urlencoded({ extended: false }));\napp.use(express.json());\n\n// Initialize Passport middleware\napp.use(passport.initialize());\n\n// --- Mock Database (in a real app, this would be a database query) ---\nconst clients = [\n  { id: 1, clientId: 'client123', clientSecret: 'secret123', name: 'Test Client' },\n  { id: 2, clientId: 'anotherClient', clientSecret: 'superSecret', name: 'Another Test Client' },\n];\n// --- End Mock Database ---\n\n// Configure the Client Password strategy\npassport.use(new ClientPasswordStrategy(\n  function(clientId, clientSecret, done) {\n    console.log(`Attempting to authenticate client: ${clientId}`);\n    const client = clients.find(c => c.clientId === clientId);\n\n    if (!client) {\n      console.log('Client not found.');\n      // `done(null, false)` indicates authentication failure.\n      return done(null, false);\n    }\n    if (client.clientSecret !== clientSecret) {\n      console.log('Client secret mismatch.');\n      return done(null, false);\n    }\n    console.log(`Client '${client.name}' authenticated successfully.`);\n    // `done(null, client)` indicates success, attaching client to req.user\n    return done(null, client);\n  }\n));\n\n// Define a token endpoint (or any endpoint requiring client authentication)\napp.post('/token',\n  // Authenticate using the 'oauth2-client-password' strategy\n  // `session: false` because clients typically don't establish sessions\n  passport.authenticate('oauth2-client-password', { session: false }),\n  (req, res) => {\n    // If we reach here, the client is authenticated (req.user will contain the client object)\n    console.log('Client authenticated successfully at /token endpoint.');\n    res.json({\n      message: 'Client authenticated successfully',\n      client: req.user // The authenticated client object\n    });\n  }\n);\n\n// Simple root endpoint for demonstration\napp.get('/', (req, res) => {\n  res.send('Welcome! Try POSTing to /token with client_id and client_secret in the body (form-urlencoded or JSON).');\n});\n\napp.listen(port, () => {\n  console.log(`Server listening at http://localhost:${port}`);\n  console.log('\\n--- Test Commands ---');\n  console.log(`curl -X POST -H \"Content-Type: application/x-www-form-urlencoded\" -d \"client_id=client123&client_secret=secret123\" http://localhost:${port}/token`);\n  console.log(`curl -X POST -H \"Content-Type: application/x-www-form-urlencoded\" -d \"client_id=badclient&client_secret=badsecret\" http://localhost:${port}/token`);\n  console.log(`curl -X POST -H \"Content-Type: application/json\" -d '{\"client_id\":\"client123\",\"client_secret\":\"secret123\"}' http://localhost:${port}/token`);\n});","lang":"javascript","description":"Demonstrates how to set up an Express server with Passport.js using `passport-oauth2-client-password` to authenticate client credentials for a mock token endpoint. It includes basic body parsing and a sample client database."},"warnings":[{"fix":"Consider more actively maintained alternatives for OAuth 2.0 client authentication, or audit the source code thoroughly and fork for maintenance.","message":"This package is effectively abandoned, with the last publish being over a decade ago. It has not received updates for new Node.js versions, security patches, or modern JavaScript features. Use with caution in production environments, especially regarding security vulnerabilities and compatibility.","severity":"breaking","affected_versions":">=0.1.2"},{"fix":"Ensure you understand the OAuth 2.0 client credential flow. For user authentication, use other Passport strategies like `passport-local` or `passport-oauth2` for specific providers.","message":"This strategy is specifically designed for OAuth 2.0 client password authentication (client_id and client_secret in the request body) and not for authenticating end-users directly. It's typically used at a token endpoint to verify the requesting client application.","severity":"gotcha","affected_versions":">=0.1.2"},{"fix":"Always use CommonJS `require()` syntax for importing this package. Example: `const ClientPasswordStrategy = require('passport-oauth2-client-password');`.","message":"The package does not officially support ESM (ECMAScript Modules). Using `import` statements will result in runtime errors due to Node.js's CJS/ESM interoperability rules for older packages.","severity":"gotcha","affected_versions":">=0.1.2"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Ensure the package is installed: `npm install passport-oauth2-client-password`. If using a non-standard module path, verify the path.","cause":"The package is not installed or the module resolution path is incorrect.","error":"Error: Cannot find module 'passport-oauth2-client-password'"},{"fix":"Use the correct CommonJS `require` syntax as the module directly exports the constructor: `const ClientPasswordStrategy = require('passport-oauth2-client-password');`.","cause":"This error typically occurs if you try to import the strategy using a named import (e.g., `import { ClientPasswordStrategy } from '...'`) or destructure it incorrectly from a `require` statement, or if the `require` statement itself fails.","error":"TypeError: ClientPasswordStrategy is not a constructor"},{"fix":"Inspect the `clientId` and `clientSecret` values passed to the `verify` callback and compare them against your mock or database records. Ensure they match exactly and that your client lookup logic is correct. Log the input credentials and your stored clients for debugging.","cause":"The `verify` callback function within the strategy is returning `done(null, false)`, indicating that the provided `clientId` or `clientSecret` does not match your stored client credentials.","error":"Client authentication failing (verify callback returning `done(null, false)`)"}],"ecosystem":"npm"}