Skip to content

Setting up authentication for CPAN Sidekick #242

Closed
zostay opened this Issue Dec 23, 2012 · 8 comments

3 participants

@zostay
zostay commented Dec 23, 2012

I would like to get CPAN Sidekick setup for authentication so that users can vote and take other authorized actions through the Android app.

@monken
MetaCPAN member
monken commented Dec 23, 2012

Hi,

for testing, you can use https://api.metacpan.org/oauth2/authorize?choice=twitter&client_id=metacpan.dev
It will redirect to localhost:5001 with the a code query string. I know that in iOS you can watch the URL in the UIWebView and extract the code parameter. Close the WebView, the rest happens in your App.
Once you have that you have to request https://api.metacpan.org/oauth2/access_token?client_id=metacpan.dev&client_secret=ClearAirTurbulence&code=[CODE] which will return an access token. Use that to retrieve user data and favorites: https://api.metacpan.org/user?access_token=[ACCESS_TOKEN]

I will set you up with a different client_id and client_secret if everything works for you. Please have a look at the metacpan-web repository for adding favorites and so on.

@zostay
zostay commented Dec 26, 2012

That doesn't actually work for what I want to do here, which is to take advantage of the built-in authentication tools of Android, which will fetch the various OAuth tokens from Twitter (or Facebook or Github as long as the user has that site's app installed) without requiring the user to login again. The mobile user sees a "Grant Permissions" dialog and clicks "Allow" or "Deny" to let the app reuse the credentials already stored with the Twitter app.

However, I believe that the client_id and client_secret give me enough information to fill in the rest. I'm now experimenting to see how far I can get from here.

Thanks!

@monken
MetaCPAN member
monken commented Dec 26, 2012

Well, you actually want to authenticate against api.metacpan.org and not twitter since you want to get access to the favorites and stuff. It just happens that metacpan is using twitter to authenticate the user, but you don't actually have control over that. Let's see what you find out :)

@zostay
zostay commented Dec 27, 2012

Right, I was hoping that I could somehow use the Android AccountManager's SSO to authenticate with api.metacpan.org. Via the SSO interface, I can gain access to the user's access tokens for Twitter, Facebook, and Github. However, it's the authorization process itself that allows api.metacpan.org to be confident of the identity of the user.

While the AccountManager SSO on Android allows me to gain access to the user's identity for use within the application, it doesn't really help here. It only gives me half of the information required to actually share the identity of the user with a third party. I get an access token and a token secret, but I do not have access to the consumer secret required to sign requests. Even if I did, I'm not sure CPAN Sidekick and api.metacpan.org are really a position to legitimately share a consumer secret. Of course, that still wouldn't allow for SSO to work.

So, using the Android SSO to do this as is seems to be a bust. I must either:

  1. Fallback to providing a WebView authentication activity and ask the user to sign in again via their preferred web site on their phone and piggy back on MetaCPAN's existing authentication scheme or
  2. I need some new mechanism to authenticate with MetaCPAN directly. I have no idea what that would be.

I do want to investigate what might be possible if Google authentication (issue #241) were available as Google provides lots of options with their own authentication that aren't available to these other third parties, but I have no idea if that will be any more productive than trying to use Twitter/Facebook/Github. It seems doubtful at this point.

@zostay
zostay commented Jan 27, 2013

Now that Google Auth is available to login to MetaCPAN, I'm still hoping for some way to make this work with Google Auth SSO without requiring the user to login again. Google provides a number of extra workflows for OAuth2 related to mobile that other providers don't, so I'm exploring those to see what I can come up with.

If I can find a way for Sidekick to get a token of some kind from the device's account manager that can be firmly verified by cpan-api, I will see about providing a patch for that. As part of this process, the cpan-api server may need/want to display a grant permissions form to verify that the user is willing to grant the phone application access to the user's CPAN profile.

@oalders
MetaCPAN member
oalders commented Mar 8, 2014

@zostay do you need anything else here? Just trying to clean up older issues.

@zostay
zostay commented Mar 8, 2014

No, I've already discovered that I can't make it do what I'd like it to do. What would be most convenient for Android users would be to use the existing Twitter, Google, Github authenticators that come either built-in or with those installed apps and just make that work. However, to do that, Sidekick would have to use the same app ID that MetaCPAN uses to make it work.

So, unless CPAN Sidekick is adopted as part of MetaCPAN proper, there's nothing that can be done to make this work that way. The only solution is to let CPAN Sidekick be the login liason, which means I could nefarious things with their identity (as opposed to Twitter/Google/Github doing that), but that's the best I can do.

@oalders
MetaCPAN member
oalders commented Mar 13, 2014

OK. Sounds good. I'll close this issue then. Thanks for the update. :)

@oalders oalders closed this Mar 13, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.