Harrisonl

Harrisonl

Oauth2 in Single page applications

Im trying to figure out how to implement Oauth2 sign in, e.g. google and github login via a React Single page login + phoenix backend combination.

Basically this is the flow i’m assuming:

  1. User clicks sign up/in
  2. React sends message to backend requesting url -> url is presented to user and opened?
  3. User signs in, via e.g. google and a token is sent directly from google back to the phoenix server (ueberauth).
  4. I then save that information back to the database including email, and token
  5. I then sign a JWT using something like guardian

Questions I’m struggling with are:

  1. How do I at step 5 get a message to the browser saying ‘here’s your token’
  2. What do I use the token I get back from google/github for? is there even a use for it? Am I suppose to hit google every request and make sure they are still logged in or do I just ignore it? I can’t see any use for it considering I’m using a JWT for app/server communication

Most Liked

Harrisonl

Harrisonl

I actually think I might have come up with a solution from a bit more reading.

Is this ok/no security holes

  1. User clicks ‘sign in via google’ or something in my react app.
  2. Then in my react app I redirect my user to my api /api/auth/google ueberauth route.
  3. I the user does the auth dance with google and the result is sent back to my api
  4. My api does a DB lookup to see if the user is already created. If they are it signs a JWT (using guarding) and returns that in the response headers.
    4b. If they are not, it creates the user in the backend, then generates a JWT and again puts it back in the header along with some other information indicating that they are a new user and may need to do some more sign up stuff.
  5. I then redirect back to my react app with the JWT in the redirect headers.
  6. Authentication happens as normal from then on using the JWT.
  7. ON sign out, I delete the jwt from their local storage and when they sign in again the process repeats it’s self.

How does this look?

Harrisonl

Harrisonl

@acrolink yeah pretty much I think (Not 100% what else ueberauth is doing under the hood) -> you see any issues with that?

Harrisonl

Harrisonl

@acrolink also looks like the google strategy then makes another request on callback to obtain an access token:

  @doc """
  Handles the callback from Google.
  """
  def handle_callback!(%Plug.Conn{params: %{"code" => code}} = conn) do
    params = [code: code]
    opts = [redirect_uri: callback_url(conn)]
    case Ueberauth.Strategy.Google.OAuth.get_access_token(params, opts) do
      {:ok, token} ->
        fetch_user(conn, token)
      {:error, {error_code, error_description}} ->
        set_errors!(conn, [error(error_code, error_description)])
    end
  end
acrolink

acrolink

So you check for an existing account in the DB and sign a token (to be returned to the JS front-end application for future requests) only by relying on the email address returned by the oauth2 provider?

pehuen-rodriguez

pehuen-rodriguez

Just for the sake of not having somebody replying to my last answer, and as I think it may be interesting:

I took a look at how this is done at CaptainFacts’ and decided to do the same. Here’s my list of steps, based on what’s been written by @Harrisonl

  1. User clicks ‘sign in via [thirdparty]’ or something in my React app.
  2. Still on the client’s side, create and use the third party’s oauth url to redirect or open in a new tab. Here’s CaptainFacts’ repo example.
  3. The user does the auth dance with [thirdparty] and the result is sent back to React.
  4. Now is when React does the signin with Phoenix via an API POST. E.g. in this line.
    4.a Existing user is retrieved and maybe updated and JWT token gets sent.
    4.b Or new user is created and JWT gets sent with maybe extra information.
  5. React gets the JWT as a regular login response.
  6. Authentication happens as normal from then on using the JWT.
  7. Sign out is performed by unlinking the third party from the user, and removing the local JWT.

Where Next?

Popular in Questions Top

Tee
can someone please explain to me how Enum.reduce works with maps
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
ycv005
I have followed this StackOverflow post to install the specific version of Erlang. And When I am running mix ecto.setup then getting fol...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
mathew4509
I have a list say x = ["23gh", "56kh", "97mh"] I would like to pass each element to Val in each iteration. Say, in iteration 1 -------...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
idi527
I’ve been re-reading swift book again and noticed that multiline strings there don’t have a trailing line break, unlike in elixir iex(2)...
New

Other popular topics Top

JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
peerreynders
Manning 2016 Halloween weekend sale via Deal of the Day Friday, October 28 - Half off all MEAPs - code WM102816LT Saturday, October 29 ...
326 29600 154
New
sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
977 41022 311
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 49522 488
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
AstonJ
We’ve put together this wiki for Phoenix LiveView - please feel free to add any info you feel is worth including. What is Phoenix LiveV...
New

We're in Beta

About us Mission Statement