Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Login and Consent Flow for OAuth2 #242

Open
fenech opened this issue Aug 6, 2019 · 5 comments
Open

User Login and Consent Flow for OAuth2 #242

fenech opened this issue Aug 6, 2019 · 5 comments

Comments

@fenech
Copy link

fenech commented Aug 6, 2019

Hello! I am interested in using AuthBoss to handle user login and consent as part of an OAuth2 flow (I am using ORY Hydra). I am wondering:

  • Is this something that makes sense to do?
  • Is there a built-in way to use AuthBoss as the "Identity Provider" part of OAuth2? I see that there is an OAuth2 module, but it seems like this is for delegating authentication to another provider.
  • If it makes sense but there's no built-in way, how can I modify the existing password-based use case to perform the necessary redirects when the user is authenticated and consent is granted?
@fenech
Copy link
Author

fenech commented Aug 7, 2019

I've been looking into this some more, I'm not sure that it can be achieved without making modifications to the way the auth module works. The login flow I'd like to replicate is based on this example:

GET login:

  1. User visits OAuth2 provider's /auth endpoint
  2. OAuth2 provider redirects to AuthBoss app /login?login_challenge={challenge}
  3. Authboss app sends request with challenge to OAuth2 provider to see whether auth can be skipped
    4a. If so, accept login (POST to OAuth2 provider) and redirect
    4b. If not, render the login page

POST login:

  1. Authboss authenticates based on posted credentials
    2a. If valid, accept login (POST to OAuth2 provider) and redirect
    2b. If invalid, return to login page

Any guidance on how to integrate this extra behaviour, or any suggestions on an alternative way to achieve what I'm trying to do would be greatly appreciated.

@aarondl
Copy link
Member

aarondl commented Aug 20, 2019

Hi @fenech. Authboss has only ever been imagined as the the "client" in an OAuth2 flow. It's never been meant to be the server or the single-sign on source of truth. I think you'd probably have to create a whole new module for that purpose.

@fenech
Copy link
Author

fenech commented Aug 22, 2019

In the end I made this project, which wraps some middleware around the auth module to make the extra calls.

https://github.com/nbycomp/login-consent

@ashtonian
Copy link

Started https://github.com/Ashtonian/hConsenter - a min typed hydra client for the flow, and a separate module based on the login-consent app https://github.com/Ashtonian/authboss-hydra-consent/blob/master/auth.go#L43. Its still pretty rough but its starting to take shape.

@ashtonian
Copy link

submitted initial #258

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aarondl @fenech @ashtonian