Comments (17)
I just pushed a small example about JWT.
This is the session configuration and this is how you destroy the session and tell the browser to remove the cookie. I'm looking at the Resources tab in my Chrome Dev Tools and I don't see the cookie there after the OAuth flow is complete.
On a side note: The session is also used for security reasons. In case you don't specify transport: 'session'
in your config, the access token is returned as querystring inside the final callback, and usually that data end up being stored in the server logs as well.
from grant.
@kyrylkov feel free to re-open this issue and/or ask any other question.
from grant.
Grant uses cookies and session to persist state between the OAuth steps (redirects). After the OAuth flow is complete you can generate the jwt token inside your callback route and then you can remove the flow data from the session.
from grant.
Both for oauth 1.0 and 2.0?
from grant.
Yep, there is no difference when using Grant. I guess it's safe enough to even use the in memory session store in production, because you really use it only during the OAuth flow, after that you can choose where and how to store the user's credentials.
from grant.
How much effort would it be to make it use express-jwt
as an option instead of express-session
?
from grant.
I'm not sure what exactly is your goal, but you can create a route on your server that uses the express-jwt middleware, that redirects to the /connect/:provider
route. After that inside the final callback route of the OAuth flow you can destroy the session and tell the browser to remove the cookie as well.
Let me know if that makes any sense.
from grant.
Also I forgot to mention that after your are being redirected to the third party server of the provider, when the third party server redirects you back to your server that request won't have a JWT token in it (correct me if I'm wrong).
from grant.
Another thing is that once you have the OAuth access_token from the third party provider you have to store it somewhere on your server. Meaning that you can still use JWT to make requests to your own API, but once that API request involves requesting a third party resource you have to load the access_token from somewhere. Obviously storing the access_token in your JWT is not a good option.
from grant.
Creating and deleting a cookie for this purposes only is very kludgy.
I'm looking for a solution to replace repetitious satellizer server code
from grant.
You are asking for two separate things:
The first part is about having a cookie:
Grant is purely a server side solution. The server should persist state during the OAuth flow. After the third party server redirects you back to your website the server should be able to know which state to pick to continue with the flow. That's what the cookie is for.
The second part is about generating JWT:
If I'm understanding correctly you want only to login your users using various third party providers, get their profile data, and generate JWT based on that.
If that's the case take a look at the profile example on how to get the user's profile inside the callback route. That's the place where you should generate the JWT and return it to the user. It's not that hard to do it actually, take a look at the jws module it's all you need really.
Lastly you should destroy the session and remove the cookie.
from grant.
I have everything implemented manually, however I'd like to rely on well supported modules to minimize maintenance.
I just reviewed passport
and it doesn't require the use of express-session
.
from grant.
Take a look at this, that's the module that every passport- OAuth2 provider depend on:
This is the state store implementation for the OAuth2Strategy used when the
state
option is enabled. It generates a random state and stores it inreq.session
and verifies it when the service provider redirects the user back to the application.
This state store requires session support. If no session exists, an error will be thrown.
The only difference is that the session store is required in Grant, because it is used for dynamic overrides as well. It also helps you out in the rare cases when you do override the redirect_uri that is generated by Grant by default.
from grant.
Thanks. We'll check it out.
from grant.
After implementing Oauth 1.0 manually, it is finally clear where session or some sort of other state is required. Previously we used had only Oauth 2.0, which didn't need it.
from grant.
OAuth2.0 have an optional state
parameter. However you should always include one to prevent certain vectors of attack.
You can enable the automatic state generation for OAuth2.0 by adding state: true
to your server's config:
"server": {"state": true}
Here is the required state you are talking about:
from grant.
So, to answer your question: Some sort of state is unavoidable, whether it's a session or something else.
Using sessions is the most flexible solution that also works out of the box, and pretty much every web developer is familiar with it.
If you can suggest a better alternative for keeping state on the server, I'll take it into consideration. Otherwise this issue can be closed.
from grant.
Related Issues (20)
- Intended method of accessing session.grant HOT 2
- Discord Profile route always 401 Unauthorized HOT 7
- Recommended approach for handling config without checking into git HOT 1
- Support Deno? HOT 3
- iFrame redirect issue with Shopify oAuth HOT 4
- OAuth 2 state - how can I associate a successful grant with a user id HOT 5
- Is there a framework-agnostic API? HOT 1
- Telegram Oauth HOT 2
- Export the grant config and Options HOT 4
- Not working with Next 13 App Router
- How to use dynamic params in custom_params of grant? HOT 1
- Autodesk deprecated v1 (lib's current) oauth endpoints HOT 4
- Incorrect inclusion of client_secret for authorization_code grant in OAuth2 implementation HOT 1
- Switch to OAuth 2 for OpenStreetMap provider HOT 1
- Itch.io authentication HOT 2
- Alternating Domains HOT 5
- Allow to customize "missing provider" error URL? HOT 3
- Any Help to Implement Grant in Next JS
- Is it possible to pass arbitrary data in? HOT 1
- Grant playground open-source? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grant.