Platform: allow authentication from other domains, for 3rd party clients/apps (e.g. OAuth) #55
Comments
adrienjoly
added
enhancement
feedback wanted
help wanted
and removed
feedback wanted
labels
adrienjoly
changed the title
|
Ongoing discussion about how to integrate external auth (e.g. OAuth) to Openwhyd's back-end: openwhyd/openwhyd-react#5 => your opinion and help is welcome there! |
|
In that discussion, I clarify the reasons why I'd like to encourage the development of new front-end/clients rather than new back-ends (or integrated stacks like Meteor). |
|
https://github.com/ianstormtaylor/permit could be used to create a OAuth proxy to the existing API maybe? |
|
Could you explain how the API works and why you need a host and a "back-end bridge" for it work. Also what exactly does the back-end bridge do? |
|
Thanks for asking, Brandon! I think that you will find answers to your question in our roadmap. If there's anything missing and/or not clear enough, please let me know :-) |
|
Thanks! I've started doing a little independent research 😁 (https://medium.com/google-cloud/understanding-oauth2-and-building-a-basic-authorization-server-of-your-own-a-beginners-guide-cf7451a16f66) Just a quick question, should we stick to using node for the backend? I'm also not sure how to best organise potential changes to the server? Should I do it in another repo for now as I would like to play around with Docker etc. My main focus would be to get some sort of server with basic API + Oauth setup, then integrate that with MongoDB to select user. After that's done then the clients can use the APIs. This is a good use case for Docker too, different containers for the API server and the basic web server! |
|
Hi Brandon, sorry for the delay. I don't mind adding another technology, as long as it can still run comfortably on our current $15/month droplet (with 3 GB of RAM), together with Openwhyd's Node server and MongoDB. I may be wrong, but I believe that it would be simpler (for Openwhyd developers) and more resource-saving to have OAuth inside the same Docker container as Openwhyd's Node server. That said, please feel free to fork Openwhyd and freely experiment with any approach that you find relevant! There are just a few things I will need to check before deploying the solution in production:
|
|
Hey @adrienjoly , Implementing OAuth in the backend shouldn't be that difficult, the link Brandon gave is also helpful. I could start playing around with it. Could you guide me on the current flow of logging in and also what files to touch? |
|
Sure, I'll try to do this tonight, after work.
|
|
Hi @uLan08 ! I explained the login flow in the following file: I'm not experienced with the back-end of OAuth, but I think that the cleanest and safest way to do it would be to create a
Alternative ways to do it:
In order to implement the first solution I proposed, I believe that you will have to:
Please let me know if you need more assistance! I'll do my best to help! |
|
Hi Patrick! Are you still motivated to propose a solution to this issue? Let me know if I can help in any way! |
|
Hey adrien,
Yeah, just a bit occupied. But feel free to have a go at it if you want. I
can't promise a definite timeline yet.
…On Sat, 3 Nov 2018, 18:12 Adrien Joly ***@***.*** wrote:
Hi Patrick!
Are you still motivated to propose a solution to this issue? Let me know
if I can help in any way!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#55 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ANgZoJhbN4FMkbQfU6qT-TbNrUomChoZks5urWwJgaJpZM4OT_zn>
.
|
|
No worries, I was just checking if I could help ^^ Have a great weekend! |
|
If any of you are based in Paris and available tonight, I propose that we work on this topic during the "hackergarten" meetup: https://www.meetup.com/fr-FR/Paris-Hackergarten/events/tvdrwpyxpbkc/ |
|
Other possible solution: "Grant: OAuth Middleware for Express, Koa and Hapi" (https://github.com/simov/grant) |
|
For reference, we had started using oauth2-server - npm, with Dhafer Dhib, during Hackergarten. I'm considering to follow that route today. |
|
I just discovered https://oauth.io/ and asked them by email if they may be a good solution for us. |
|
OAuth.io would be to provide assistance if we decide to become a oauth2 provider. They have a Node SDK that could easily turn our existing server into an OAuth provider: https://github.com/oauth-io/oauthio-server-node Before checking that out, they suggest looking at the most bare bone example of a Node/Express server using the SDK to become an OAuth provider: https://github.com/oauth-io/provider-node-example There's a step-by-step on video there: https://cl.ly/3a3x1I3W1r2b Advantage of using their platform: Any dev that wants to use Openwhyd's OAuth API merely needs to click 'Auto-Configure' on OAuth.io, which automatically provisions the app on our OAuth server, and transfers the keys over to OAuth.io, and they are set. Demo: https://cl.ly/2n2b1k0T142R Note: it would probably make it easier for us to do that if we migrate to Express.js first => #122. |
|
Could also be used: simov/grant: OAuth Middleware for Express, Koa and Hapi |
…go (#200) Contributes to #122 and #55. What does this PR do / solve? ----------------------------- Openwhyd was developed on top of a custom / home-made web framework called "my-http". In order to standardise it and reduce tech debt, we intend to migrate to Express.js. This PR is a first step towards that goal: it replaces the custom "my-session" middleware by a more standard combination: [connect-mongo](https://www.npmjs.com/package/connect-mongo) and [express-session](https://www.npmjs.com/package/express-session). Overview of changes ------------------- See [list of commits](https://github.com/openwhyd/openwhyd/pull/200/commits) for more details.
|
Note: we should reflect on whether or not we need OAuth. E.g. could we pass a session cookie as POST parameter instead? |
openwhyd.org is an open-source music platform used daily by thousands of users to create playlists of songs from the web (Youtube, Soundcloud, etc...), and discover musical gems from similar users.
Tech stack: Node.js, MongoDB, Docker, Mocka, Webdriver.io, jQuery, Electron + iOS app
Problem + context
Openwhyd users are begging for an Android app and background playback of their playlists from openwhyd.org. Both are front-end issues: the Android app could either be a native project or a responsive web app. And the thing is that our current web app (available at openwhyd.org) is not a fun one to maintain, because of the use of ancient technologies (e.g. jQuery), technical debt and the fact that its codebase is mixed with Openwhyd's back-end...
Several developers proposed to create a separate front-end for Openwhyd, for scratch, in order to tackle these issues. For instance, @SkinyMonkey made a React front-end from scratch: https://github.com/SkinyMonkey/sound-nuggets. But he stopped maintaining it because Openwhyd's lack of OAuth-based API (#55) forced him to run a small back-end/bridge online, which was costly.
If somebody could provide a way for front-end clients to auth & connect to Openwhyd's API without requiring to host and run such a back-end bridge, it would be much easier for the community to create and maintain Openwhyd clients on several platforms!
Objective
Allow 3rd-party apps to use openwhyd's API, with user authentication.
roadblock: only cookie-based authentication is provided by openwhyd.org's server, at that point.
leads:
anybody wants to help?
Howto
In order to solve this issue, you are invited to fork this GitHub repository, makes changes to it, and then create a Pull Request so we can merge your changes back to this repository.
First, you may want to read about:
INSTALL.mdCONTRIBUTING.mdI will be happy to assist you at any stage, if you want to try to solve this issue! If you have any question, just leave a comment below. Beginners are also welcome! 🤗
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: