-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify the OAuth2 authentication flow #55
Comments
Low priority, agreed, but if this works, it'll simplify the OAuth workflow and provider a better DX. Cool. |
This would be a good addition since it seems like it is not possible to get redirect url to work with |
Could we also have a way to add access scopes as URL parameters as part of the redirect URL? Currently I'm having to do this in my code:
|
Wow, it would be really nice to have.. |
A simplified OAuth2 handling was implemented in the The JS SDK was also updated to accommodate the change and if you want to test you have to use const authData = await pb.collection("users").authWithOAuth2({
provider: "google",
// custom scopes to overwrite the default ones
// scopes?: Array<string>;
// optional record create data
// createData?: {[key: string]: any};
// optional callback that is triggered after the OAuth2 sign-in/sign-up url generation
// urlCallback?: OAuth2UrlCallback,
}) This method initializes a one-off realtime subscription and will open a popup window with the OAuth2 vendor page to authenticate. Site-note: when creating the OAuth2 app in the provider dashboard you have to configure The "manual" code exchange flow is still supported as The Dart SDK will be updated similarly sometime later today. |
PocketBase uses the OAuth2 PKCE flow but due the stateless nature of the application and the requirement to support multiple platforms (web, android, ios, etc.) in a similar manner, the current implementation is a little verbose and some users have reported to find it cumbersome to implement in their app (see existing Auth via OAuth2 guide).
Further more, the current approach has one more drawback - it will not work out of the box with platforms that may not support redirect urls or deep links (eg. AdobeXD and Figma plugins; check similar issue in Presentator #178)
The best solution that I can think of at the moment would be to start a persistent connection (eg. SSE) with the client and handle everything in a single call without even reload to be necessary, eg. for web platforms using the JS SDK it could look like this:
Feedback and suggestions for other approaches are welcomed.
This currently is a low priority, but we'll have to decide on the implementation before v1.0.0 to avoid introducing breaking changes.
The text was updated successfully, but these errors were encountered: