Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EPIC(?): OAuth login for first-party clients #328

Closed
8 tasks done
dhwthompson opened this issue Jun 20, 2017 · 1 comment
Closed
8 tasks done

EPIC(?): OAuth login for first-party clients #328

dhwthompson opened this issue Jun 20, 2017 · 1 comment
Assignees
@robertknight @dhwthompson
Labels
OAuth

Comments

@dhwthompson
Copy link

dhwthompson commented Jun 20, 2017
edited

Background

We want users running in browsers with restrictive policies on third-party cookies (most notably Safari) to be able to log into the Hypothesis client without having visited the hypothes.is domain in their current browser.

Some further context on the problems we’re solving.

Proposed user flow

  • A user clicks the “Login” link in the client
  • If the user is not already logged in on the hypothes.is domain, a popup window opens, asking them to log in
  • If the user is logged in on the hypothes.is domain, the popup immediately closes, returning a token to the client and logging them in

Technical considerations

Because we are initially implementing this only for known clients, we can rely on the postMessage API and not implement the OAuth redirect flow for now.

We’re planning to feature-flag this for both the browser extension and embedded clients. One option for feature-flagging in the browser extension is to add a new configuration option into the extension’s options panel, marked as experimental.

Further details are in the technical design document.

Implementation checklist

(Further items to be added as we come across them.)

  • OAuth authorization page in h to generate authorization codes
  • Exchanging authorization codes for access/refresh tokens
  • Feature flagging in the browser extension
  • Feature flagging in the embedded client
  • Support registering first party OAuth clients in the service
  • Use the OAuth authorization page in the client when feature flag enabled
  • Access/refresh token persistence in the client (using localStorage?)
  • Document configuration etc. required for first party OAuth

Additional notes

This ticket was extracted from parts of #310, #311, #313, #314 and #315, taking a minimum useful slice of functionality from each.

This is a part of the functionality expressed in #159, namely “provide an OAuth-based method for logging into Hypothesis”.
@dhwthompson dhwthompson changed the title OAuth login for first-party clients Epic(?): OAuth login for first-party clients Jun 23, 2017
@dhwthompson dhwthompson changed the title Epic(?): OAuth login for first-party clients EPIC(?): OAuth login for first-party clients Jun 23, 2017
@Luthieneye Luthieneye mentioned this issue Jul 7, 2017
Closed
@dhwthompson
Copy link
Author

Now that hypothesis/h#4683 has been merged and is up on the interwebs, everything in this issue is now finished.

🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robertknight robertknight

@dhwthompson dhwthompson

Labels
OAuth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robertknight @dhwthompson