DEV Community


Posted on

Best practices to authenticate with Passport.js

I would like to ask the community for help to better understand and use Passport.js.

The way I learned to use it, you define a strategy, make a couple of auth routes and persist session on a cookie.

So, for instance, you would create a Google strategy like this:

const passport = require('passport')
const GoogleStrategy = require('passport-google-oauth20').Strategy

passport.use(new GoogleStrategy(
    (accessToken, refreshToken, profile, done) => done(null, profile)

Then add cookie-session and passport middleware:


And finally create a log in route and a callback route:

app.get('/google', passport.authenticate('google', scope))

app.get('/google/callback', passport.authenticate('google', options))

But my understanding of Passport.js is very limited and I often wonder if this is even a good idea. For instance, I don't really know what the parameters accessToken and refreshToken in the strategy's callback are. I imagine they serve some purpose beyond just existing, but I wouldn't know how to use them.

So I thought I'd ask around and hopefully hear good opinions on the matter.

How do you personally use Passport.js?
What method(s) do you use to persist sessions?
What are the pitfalls/security issues with the approach I outlined above?
What can we use accessToken and refreshToken for?

Thanks a lot in advance for your replies^^

Top comments (1)

brandinchiu profile image
Brandin Chiu

Passport is used to help simplify the implementation of OAuth 2.0 providers.

OAuth is an authentication standard used all around the world to help make development easier for us, and the process familiar for users.

In this context, our accessToken is designed to be an authenticated session identifier for a particular person. For security, sometimes access tokens expire. In cases when you need to generate a new one, but don't want to force a user to have to enter their credentials again, you would make a request using the refreshToken to generate a new accessToken.

OAuth can be complex, but the most common implementation looks like this:

  • user clicks "login with x" link
  • user is redirected to a web form hosted by the service x
  • user enters credentials and submits
  • service x's web form redirects to a page controlled by you with a temporary code for you to use.
  • you submit the temporary code, and other security credentials (client ID and client secret, typically) through a backend API request with service x
  • service x gives you an accessToken, and optionally, a refreshToken if needed.
  • you persist the above tokens in your system so your user remains "logged in".

Regardless of what service x is, if they are implementing OAuth 2.0, they are will be more or less following the above process. Passport simplifies these steps by making you not have to do this by hand for every provider you want to support, since they will function more or less the same way.