Is there a reason why the LINE SDKs do not return an authorization code to be used by a backend service? #167
Comments
|
Hi, Thanks for opening this. About authorization codeThe native LINE SDK is not only an SSO login component (LINE Login), but also an API client for using other public LINE APIs. So a main target of this project is providing a self-contained solution for most developers. Making a client authorization code exchange can help those developers who wants to use LINE APIs even when they do not own their own server. Also, since the LINE Login in LINE SDK is a "mobile-first" login SSO, it contains more client-oriented secure features, but lack of the notorious You can intercept the authorization code from the URL which LINE Login service returns to you in the app delegate. It should be a URL query parameter under About refresh tokenSince it might be a bit complicated to use the authorization code on your server, another more realistic way is just leaving the token exchange to LINE SDK, and sending access token and refresh token to your server. However, sending and storing these tokens (access token or refresh token) is considered as violating agains Apple's App Store Review Guidelines:
We before also received some rejection report on this, so we recognize it as a "mis-use" to sending LINE access token or refresh token to your server for storing purpose. This is why we marked the LINE SDK manages the refreshing automatically. If you really need the refresh token, it would be trivial to fork this repo and change the |
|
Thank you for your detailed reply. We might look into the intercept route in that case. |
Referring to the documentation, native clients will send an access token and id token to our backend service. This means that we can't then obtain a refresh token, so when the access token expires we have no access to LINE APIs on behalf of the user. The only way to solve this is for the client to reauthenticate and send new tokens.
Web-based login on the other hand provides the server with an authorization code (docs) which can be exchanged for an access token and a refresh token.
This is a problem for us because we have implemented a login service, for both our web application and native applications, which exchanges external tokens for our own tokens. This works fine for other services (sign in with Apple, sign in with Google, etc.) which do provide an authorization code and therefore allow us to obtain a refresh token for those services. Internally we use the provider refresh token when the access token expires. As LINE does not provide a refresh token, we would have to also have the client send a new LINE access token if the old one has expired, and therefore update our database. I'm sure you can see how this will require us to branch our logic (i.e.
if (line) { specialRefreshToken } else { normalRefreshToken }).Considering the authorization code is used internally within the SDK, I don't quite understand why this is being closely guaraded client-side rather than making this available to pass to backend services instead of being exchanged behind the scenes. Can anybody comment on the reasons behind this (and why LINE is so different to other SSO providers like Google or Apple)?
The text was updated successfully, but these errors were encountered: