Allow providing accessTokens directly #76

Open
etler opened this Issue Nov 12, 2012 · 3 comments

2 participants

@etler

It's possible to get access tokens from oauth providers through their javascript APIs. Because getting access tokens this way does not require browser redirects you can create an inline login screen by making the API call on the client, then passing the response to your server through an ajax call.

It's possible to get it to work with passport as is by replicating some of the authentication code in the request that provides the accessToken but it requires copying and pasting large chunks of anonymous functions. If passport provided a way to accept an accessToken directly it could be done much more cleanly.

@jaredhanson
Owner

Could you post some links to providers that have such APIs (and the docs for those APIs). It'd be great to have strategies for this.

Two strategies I'm aware of for authenticating issued tokens are:
https://github.com/drudge/passport-facebook-token
https://github.com/drudge/passport-twitter-token

These are mostly intended for iOS and Android apps that need to transfer credentials to a server. I'd be curious to know how JavaScript APIs handle this securely.

@etler

The JS api method in particular is documented here. The getLoginStatus function takes a callback that provides you with an authResponse object with your accessToken, expiresIn, signedRequest, and userID, all on the client side. I'm not sure how secure this method is, but hopefully it is because Facebook does it...

Digg has a no-redirect login and after snooping through their network requests, I think they use the facebook javascript api, then pass the access token they get from that to their servers. These are outgoing requests from the site after logging in:

Logging in with facebook:
Request url:

    http://digg.com/session

Request form data:

    login_type:facebook
    _xsrf:################################
    access_token:########################################################################################################################
    expires:####
    cb:###############

Logging in with twitter:
Request url:

    http://digg.com/session

Request form data:

    login_type:twitter
    _xsrf:################################
    key:##################################################
    secret:##########################################
    screen_name:#######
    twitter_user_id:########
    cb:###############

The data they pass for facebook login looks like the same stuff from the facebook api. I'm not sure what they're using for twitter. They're not using https for their session url which isn't good.

I've done this before and it allows you to login a user without any redirects. I'd be good to know if this is safe, and if so, it'd be cool to have an official non hacky way of doing it (I had to do some madness with re-arranging callbacks).

@jaredhanson
Owner

Cool, thanks for the info. I'll investigate this further and see how it can be implemented as a strategy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment