Add support for OAuth providers (Facebook, Twitter, Google) about staticman HOT 11 CLOSED

@zburgermeiszter I'm interested in adding GitHub authentication. Do you think it'd be possible with the method you suggested?

from staticman.

Still not sure how this would work. Normally, these third-party services implement an OAuth flow that sends an access token back to the host site. Who would be the host site here? It can't be the client's static site, so it'd have to be Staticman. But what do we do with that access token? We don't store any data on our service, so not sure how this would work.

Any further thoughts?

from staticman.

You don't need to store the token.
You can pass it to the client to store it in a cookie. If you want you can encrypt it with the previously suggested asymmetric encryption.
Then when the visitor sends the comment it also sends the cookie with the token that you can decrypt and pull user details (name, email) from the OAuth provider.

Source: https://jacada.zendesk.com/hc/en-us/article_attachments/200674926/secureinteractionflow.png

from staticman.

I also found some thoughts about how to implement this on a Single Page Application.
Authentication in Single Page Applications

It might help us in the future.

from staticman.

I realized it is enough to play through the authentication until the callback where Staticman receives a user profile object which can be encrypted in a cookie with the Staticman public key.

It is not needed to store the token on the service because it does not need to communicate with the user provider after puling the profile details.

When user made some changes on their social profile, they can update the encrypted cookie contents with the fresh data from the social network.

Let me know when you are done with the encryption integration and I'll try to integrate my proof-of-concept code to it and send a PR.

from staticman.

Cool! I probably won't have the capacity to look into it before the weekend. Will let you know once I do.

from staticman.

After receiving an OAuth token, it is also possible to post something to the user's wall.
So they can tweet or post to FB wall what they have commented.
With a short link, which generates more inbound traffic for the blogs, and some statistical data for the short url owner which is possibly the staticman service owner.

from staticman.

I created a proof-of-concept code for this feature request.
Have a look at it and let me know your thoughts.
https://github.com/zburgermeiszter/passport-stateless-oauth

from staticman.

Just having another look into this. I'm not keen on adding too much complexity to the platform, to be honest. Especially considering that the amount of time I can afford to dedicate to maintaining the project is quite limited, I want to keep the beast easy to tame.

Happy to revisit in the future.

Thanks!

from staticman.

@eduardoboucas , yes ; see https://github.com/zburgermeiszter/passport-stateless-oauth/blob/dev/service/package.json#L9 and https://www.npmjs.com/package/passport-github2

from staticman.

Any update on GitHub authentication?

from staticman.