Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth 2.0/OIDC Access Token Retrieval Support #476

Merged
merged 12 commits into from Jan 7, 2020

Conversation

reefqi037
Copy link
Contributor

This PR adds OAuth2.0/OIDC Access Token retrieval function to Postwoman πŸŽ‰

Main Feature

With this feature, OAuth 2.0 access token can be retrieved directly from inside Postwoman.
Since Postwoman is a web-based SPA, it have no way to hide client secret used in the normal OAuth 2.0 flows. Therefore, only Authorization Code Flow + PKCE is implemented.

Additional Features

  • Automatic configuration using OpenID Connect Discovery endpoint ( Configure endpoints automatically! )
  • Access Tokens Management ( Save, reuse, and delete multiple access tokens )
  • Token Request Management ( Save, reuse and delete multiple authorization endpoints configuration )

Screenshots

  1. Main UI
    oauth

  2. Access Token Management UI
    token-management

  3. Token Request Management UI
    token-req-management

Limitations

  • Users can only use OAuth Service Providers that provide PKCE support for client authentication.
  • Users have to register Postwoman as callback URL and trusted/allowed origin (CORS) in the OAuth application and Service Providers' settings.

There should be room for improvements but for the time being, I think the core functions here should works ( tested with Okta and Auth0 as Service Providers ). Feel free to suggest and improve πŸ‘¨β€πŸ’» πŸ‘©β€πŸ’» πŸš€

fixes #337

@ghost
Copy link

ghost commented Jan 7, 2020

DeepCode's analysis on #b0346a found:

  • ❌ 0 critical issues. ⚠️ 0 warnings and 2 minor issues. βœ”οΈ 0 issues were fixed.

πŸ’¬ This comment has been generated by the DeepCode bot, installed by the owner of the repository. The DeepCode bot protects your repository by detecting and commenting on security vulnerabilities or other critical issues.


☺️ If you want to provide feedback on our bot, here is how to contact us.

@TravisBuddy
Copy link

Hey @reefqi037,
Your changes look good to me!

View build log

TravisBuddy Request Identifier: b18bac80-315a-11ea-aacd-b3fcdaf4a164

@TravisBuddy
Copy link

Hey @reefqi037,
Your changes look good to me!

View build log

TravisBuddy Request Identifier: b18b1040-315a-11ea-aacd-b3fcdaf4a164

@liyasthomas liyasthomas requested review from AndrewBastin and liyasthomas and removed request for AndrewBastin January 7, 2020 14:59
@liyasthomas liyasthomas requested a review from NBTX January 7, 2020 15:33
@TravisBuddy
Copy link

Hey @reefqi037,
Your changes look good to me!

View build log

TravisBuddy Request Identifier: 34128120-3164-11ea-aacd-b3fcdaf4a164

@TravisBuddy
Copy link

Hey @reefqi037,
Your changes look good to me!

View build log

TravisBuddy Request Identifier: b66ae400-3173-11ea-aacd-b3fcdaf4a164

@liyasthomas liyasthomas merged commit bb924dc into hoppscotch:master Jan 7, 2020
@liyasthomas
Copy link
Member

@reefqi037 I did few refactoring to oauth.js in 57f7621 can you please verify it. Usually i make dump mistakes πŸ€¦β€β™‚

@reefqi037
Copy link
Contributor Author

@liyasthomas Yeah I have seen it and made some tests. No πŸ› found at the moment. All good! πŸ‘

@liyasthomas
Copy link
Member

Thanks for the quick response

@reefqi037
Copy link
Contributor Author

No problem!

@Bettelstab
Copy link

@reefqi037

While I really appreciate your work (I'm just about to give it a try) I disagree with what you said about Authorization Code Flow + PKCE being the only possible flow. In my understanding, the reason you can't use a client secret in usual SPAs is that you would have to embed it in the code, so it would be accessible by the public, as you said.

In case of Postwoman, however, there is not that one client secret, but each user could add her own and save it client-side. Nobody else will ever see it. Should work perfectly fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request: Support OAuth2/OIDC
5 participants