Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a companion server that handles authorization_code flows #1

Open
edjiang opened this issue May 19, 2016 · 9 comments
Open

Create a companion server that handles authorization_code flows #1

edjiang opened this issue May 19, 2016 · 9 comments

Comments

@edjiang
Copy link
Member

edjiang commented May 19, 2016

We can't implement Twitter, GitHub, LinkedIn, Slack, or other login types because we can't do authorization_code grants without a client secret. Client secrets are fundamentally insecure on mobile clients, so we need to create a companion server to help with the authentication request.

@edjiang edjiang mentioned this issue May 20, 2016
@joemasilotti
Copy link

Do you see the server being one, single server that manages every one's tokens? Or a separate codebase that developers could stand up on their own? If the latter, what language do you think you will be implementing the server in?

@edjiang
Copy link
Member Author

edjiang commented May 21, 2016

I definitely want to do both, but I haven't planned exactly the approach I'd be taking.

If it's self-hosted, that reduces complexity of writing code but may be less convenient to use. If it's hosted, it'd be more convenient to use but it'll be more work to write, and open-sourcing it would be less useful since there'd be more work to get it set up.

I'd love to hear your thoughts though -- what would you find more useful?

I'll be writing it in Node.js.

@onmyway133
Copy link

@edjiang Why don't you make client secret parameter optional? For those who want to take the risk?

@edjiang
Copy link
Member Author

edjiang commented May 27, 2016

@onmyway133 so, I looked at it a bit more and realized that client_secret actually isn't required as per the OAuth spec for the Authorization Code grant type, so what I'm going to do is:

  1. Implement the authorization_code grant type as per spec.
  2. Keep it extensible so people can implement it with the client_secret if they want to.
  3. Get the server-side component out asap, and make it hosted!

@edjiang
Copy link
Member Author

edjiang commented Jun 13, 2016

As an update: work on Implicity, the server-side component to Simplicity, has started!

I'm going to be at WWDC / Altconf festivities over the next week, so not sure what velocity I'll be getting, but @saimaddali will be joining me to help build out Implicity!

https://github.com/SimplicityMobile/Implicity

@edjiang edjiang mentioned this issue Jun 23, 2016
@quiKsilverItaly
Copy link

How is it going? I would love to see Twitter supported by your Lib.

@edjiang
Copy link
Member Author

edjiang commented Nov 8, 2016

Unfortunately, I've been working on a lot of other stuff recently, so I don't think this will get done in the near future :(

@kakubei
Copy link

kakubei commented Feb 21, 2017

+1

1 similar comment
@nick-iCars
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants