Backpack Connect API not really usable

[ploaiza]

With the existing backpack connect API there's no way (that I can see) to determine which user you are getting connect permissions/access_tokens for. The call to connect does not let you specify any sort of user identifier and the callback from the backpack api does not give any sort of user identifier.

The call to connect:
OpenBadges.connect({
callback: "http://yoursite.com/callback",
scope: ['issue']
})

The response on callback:
{
"expires": 3600,
"access_token": "new-access-token",
"refresh_token": "new-refresh-token"
}

Neither of those specify any user information.

Also the whole connect/callback/identity process is going to take non trivial javascript on the originating web page if I want to let the user know that they have or have not made a successful connection.

Example:

I have a web page where any number of users can go to claim a badge.

20 of them go to the web page at roughly the same time.

I authenticate them with email address and password.

I issue connects for all 20 through the Backpack Connect API.

The backpack calls my callback process.

Now I'll need a javascript idle/polling loop on my webpage to poll some process and see if callback got a valid access_token for the user.

Problem #1
If there is an error I have no way of give feedback to the current user because I have no token, no email, no user id, nothing returned that will let me know which of the 20 users trying to connect got the error. The only thing I can do is put a timeout limit on my loop and when that time out is reached, give the user a very generic who the heck knows what went wrong message.

Problem #2
If I use a call to Identity I get back a hashed email and a salt. Now I'm going to have to hash every single email in my database with that salt and test for a match to figure out which person that access_token is good for. Not realistic for a large set of users.

Problem #3
User signs in to my website as myname@noemail.com but signs into persona as MyName@nomail.com. I'll never be able to match that hashed email and salt to any user in my database.

Or, I'm missing something fundamental about how to use the Backpack Connect API?

[mattdigitalme]

@auralon One to link with re: Connect API testing?

@ploaiza Do you want to join the Backpack Developer Slack Channel to get this worked through if needed

[auralon]

If you're using any kind of session handling for your logged in users, then this should be quite straightforward.

A user logs in to your system. They then initiate the backpack connect process and get taken away to the backpack, they login to the backpack and grant access (the ability to push badges) to your site. They then get returned to your site with a callback containing the access_token and such. At this point you then save the backpack connect session details for the user, based on the active browser session.