-
Notifications
You must be signed in to change notification settings - Fork 379
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement]: Authorized applications #2381
Comments
I have written up a concept for that here: #2379 (comment) Still I would recommend a whitelist for the mobile callbacks with
A Callback-URL is always passed in the first request (however without an App Description, which is not defined in the standard). See: Also GitHub, Spotify and co use standard oauth2 btw. Edit: In theory on could add also the app name, by defining an optional parameter, and then first - like in a standard oauth2 flow - redirect to an internal ABS site asking if its okay with the name, and then redirect to the oauth provider. Depending on the configuration of the oauth2 provider the user would have to give the ok two times. This solution if really required in the future can be built on top of the other concept I have written up above. It would also work with oauth2 libraries. |
…yr#2381) - Implement /auth/openid/mobile-redirect this will redirect to an app-link like audiobookshelf://oauth - An app must provide an `redirect_uri` parameter with the app-link in the authorization request to /auth/openid - The user will have to whitelist possible URLs, or explicitly allow all - Also modified MultiSelect to allow to hide the menu/popup
Added in v2.7.0 |
Describe the feature/enhancement
To support the new OpenID connect login option all clients have to implement the new login strategy themselves. This means that applications have to register a unique URL scheme because
audiobookshelf://
would conflict with the official app. From the apple docs:Users would have to add callback URLs for each third-party client they use, which is quite annoying.
On top of that trusting third-party developers to always adapt new login strategies is in my opinion quite optimistic. If for example 2FA auth is introduced for local accounts all client applications would have to be updated to not be rendered useless, or users would have to miss out on the feature to still be able to use their favourite app.
I would suggest that sign-ins are always handled by ABS and clients just receive a token. Similar to authorising a GitHub / Spotify / ... app. When a user wants to authenticate themselves the client application just opens a web browser and provides some information about itself. Something like
The user can review these and then choose to authorize the client or to reject the request. When the user grants permission (and logins in if required) they are redirected to the callback URL
This would make adding new login strategies much more simple because every single client would just support them without any additional work required
The text was updated successfully, but these errors were encountered: