Access token instead of session

[cajoy]

As I understand passport uses Session/Cookie for callbacks. While loopback uses AccessTokens for user validation.

Is it possible somehow to redirect using AccessToken and UserId instead of session/cookie?

Thanks

[frankcarey]

Any answer here? Do we need to add loopback.token as well?

[frankcarey]

I've got this working by hacking loopback-component-passport module and adding custom code in the passport.authenticate() customCallback to add params of userId and access_token to the successRedirect url. This works fine except when I tried to do it the "right way" by passing in option.customCallback() (as I discovered was an option in the loopback-component-passport code).

The issue is that when passing in the customCallback vs hacking the module, it looses the scope on res, and req variables so I loose the ability to do the same redirects the default one does. Anyone find a solution to that so I don't have to hack the module?

See http://passportjs.org/guide/authenticate/

[frankcarey]

Is it possible somehow to redirect using AccessToken and UserId instead of session/cookie?

I've created a pull request that allows for at least overriding the defaults. The PR has some sample code for implementing a redirect with params as described.

#23

For those curious, my frontend code that grabs the params and then saves them using the angular sdk looks like this:

// Note that User is from lbServices / the autogenerated angular sdk.
angular.module('myApp')
  .controller('LoginCtrl', function ($scope, User, $location, $window) {
    // this is at a route of /login and is a page that shows a button/link that will redirect the user
    // to the proper oath provider.
    $scope.loginOauth = function(provider) {
      // Redirect the user to the api to follow the login flow of the loopback api.
      $window.location.href = "http://my.api.com/auth/" + provider;
    };
  })
  // Note that LoopBackAuth is from the lbServices as well.
  // This is at a route of /login/callback and the url will look something like..
  // /login/callback?access_token=somehash?userId=someuserid
  .controller('LoginCallbackCtrl', function ($scope, User, LoopBackAuth, $location, $window) {
    // Grab the params from the current url.
    var params = $location.search();

      // Handle response by adding properties to the LBAuth and then calling save
      LoopBackAuth.currentUserId = params.userId;
      LoopBackAuth.accessTokenId = params.access_token;
      // Note that you can also set LoopBackAuth.rememberMe which changes the storage from session to local.   

      // Saves the values to local storage.
      LoopBackAuth.save();

      // TODO we might want to grab the user info here as soon as they login.
      /*
      User.getCurrent(function(test) {
        console.log("success", test);
      },
      function(err) {
        console.log("fail", err);
      }               
      );
      */
      // Just redirect the user to the homepage once they are logged in.
      $location.url("/");
  });

[frankcarey]

Oh, and It might be a good idea to incorporate this as a built-in option as well.

[cajoy]

Absolutely agree with you - it should be integrated. And you did great job. But seems like package maintainers are very busy doing other stuffs ;)

[OwenBrotherwood]

+1 interesting
If the maintainer sparks in, then I can join any effort.
headers contra cookies/urls is AAA country. strongloop/loopback#1338 @raymondfeng

[ghost]

+1

[aiampogi]

+1 very nice idea to make it built-in

[stale]

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.