A simple example showing how third-party apps integrate with InsForge OAuth 2.0.
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ This App │ │ Browser │ │ InsForge │
│ (Port 4000) │ │ │ │ (Port 3000) │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
│ 1. User clicks │ │
│ "Login with InsForge" │ │
│<───────────────────────────│ │
│ │ │
│ 2. Generate PKCE │ │
│ Store verifier │ │
│ Redirect to InsForge │ │
│───────────────────────────>│ │
│ │ │
│ │ 3. GET /authorize │
│ │ ?client_id=... │
│ │ &code_challenge=... │
│ │───────────────────────────>│
│ │ │
│ │ 4. User logs in │
│ │ User approves │
│ │ │
│ │ 5. Redirect to callback │
│ │ ?code=ABC123 │
│ │<───────────────────────────│
│ │ │
│ 6. GET /auth/callback │ │
│ ?code=ABC123 │ │
│<───────────────────────────│ │
│ │ │
│ 7. POST /token │ │
│ {code, code_verifier} │ │
│────────────────────────────────────────────────────────>│
│ │ │
│ 8. {access_token} │ │
│<────────────────────────────────────────────────────────│
│ │ │
│ 9. Store tokens │ │
│ Redirect to home │ │
│───────────────────────────>│ │
│ │ │
│ USER IS NOW LOGGED IN │
Migrate backend first!!!
First, register an OAuth client in InsForge to get your credentials:
curl -X POST http://localhost:3000/api/oauth/v1/clients/register \
-H "Authorization: Bearer YOUR_INSFORGE_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "My Example App",
"redirect_uris": ["http://localhost:4000/auth/callback"],
"allowed_scopes": ["user:read", "organizations:read", "projects:read", "projects:write"],
"client_type": "confidential"
}'You'll receive:
{
"client_id": "abc123",
"client_secret": "secret_xyz789"
}Set environment variables or edit src/server.js:
export INSFORGE_CLIENT_ID="your_client_id"
export INSFORGE_CLIENT_SECRET="your_client_secret"
export INSFORGE_URL="http://localhost:3000"
export CALLBACK_URL="http://localhost:4000/auth/callback"npm install
npm start- Open http://localhost:4000
- Click "Login with InsForge"
- Log in to InsForge (if not already)
- Approve the permissions
- You're redirected back, logged in!
src/
└── server.js # Complete OAuth implementation
// 1. Generate random verifier (secret, stays on server)
const codeVerifier = crypto.randomBytes(32).toString('base64url');
// 2. Generate challenge (public, sent to InsForge)
const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
// 3. Send challenge in /authorize request
// 4. Send verifier in /token request
// 5. InsForge verifies: SHA256(verifier) === challenge// Generate random state before redirect
const state = crypto.randomBytes(16).toString('hex');
req.session.oauthState = state;
// Verify it matches in callback
if (state !== req.session.oauthState) {
return res.status(400).send('CSRF attack detected');
}The code exchange happens server-to-server, never exposing secrets to the browser:
const response = await fetch('https://api.insforge.com/api/oauth/v1/token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
grant_type: 'authorization_code',
code: code, // From callback URL
redirect_uri: CALLBACK_URL,
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET, // Never exposed to browser
code_verifier: codeVerifier, // Never exposed to browser
}),
});| Endpoint | Description |
|---|---|
GET / |
Home page (shows login button or user info) |
GET /auth/login |
Starts OAuth flow, redirects to InsForge |
GET /auth/callback |
Handles InsForge redirect, exchanges code |
GET /auth/logout |
Clears session |
GET /api/organizations |
Example API call using access token |
- Never expose
client_secret- It stays on your server - Never expose
code_verifier- It stays on your server - Always verify
state- Prevents CSRF attacks - Use HTTPS in production - Protects all traffic
- Store tokens securely - Use encrypted sessions/database