You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 18, 2020. It is now read-only.
I have struggled to find out how I can make the 3rd party authentication and local authentication to write accessToken and userId cookies (and do everything else) similarly.
It seems, that you have a bug here:
loopback-example-passport/server/views/pages/local.jade
Instead of posting the /auth/local/callback, as it should, it posts to /auth/local instead. This causes a simple login, without creating accessTokens, while the 3rd party logins will always create accessTokens. There might be some use cases, where not creating accessTokens for local users, but creating them for 3rd party users is how you want the system to behave.
I would recommend, that you would fix this so, that in this particular example, all the authentication schemes would create accessTokens as that seems to be what people are expecting to happen, so:
All this complexity is caused by HTTP standards; while 3rd Parties can pass "code" as query parameter when redirecting, doing so with user credentials after POSTing to "/auth/local" would cause two problems:
Passing credentials in query params would be safe withing HTTPS, but would cause your log files to become huge security risk.
HTTP Redirects 301 Moved Permanently and 302 Found do not allow passing HTTP body as they only support GET requests. There is HTTP 307 Temporary Redirect in HTTP 1.1, which would allow rePOSTing to another location, but some browsers MAY implement it in such way, that the user must be prompted, thus this HTTP code is not supported by many frameworks for redirections, Express JS included. So, there would not be a good way to pass credentials from "/auth/local" to "auth/local/callback".
As far as I know, the route POST "/auth/local" does nothing important, which would not be done by "/auth/local/callback", the solution I suggest, actually solves the problem without side effects, as far as I am aware of.
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.
I have struggled to find out how I can make the 3rd party authentication and local authentication to write accessToken and userId cookies (and do everything else) similarly.
It seems, that you have a bug here:
loopback-example-passport/server/views/pages/local.jade
Instead of posting the
/auth/local/callback
, as it should, it posts to/auth/local
instead. This causes a simple login, without creating accessTokens, while the 3rd party logins will always create accessTokens. There might be some use cases, where not creating accessTokens for local users, but creating them for 3rd party users is how you want the system to behave.I would recommend, that you would fix this so, that in this particular example, all the authentication schemes would create accessTokens as that seems to be what people are expecting to happen, so:
In
providers.json
we need:The important things here are,
"callHTTPMethod": "post"
and"setAccessToken": true
.And in
/server/views/pages/local.jade
, change:All this complexity is caused by HTTP standards; while 3rd Parties can pass "code" as query parameter when redirecting, doing so with user credentials after POSTing to "/auth/local" would cause two problems:
As far as I know, the route POST "/auth/local" does nothing important, which would not be done by "/auth/local/callback", the solution I suggest, actually solves the problem without side effects, as far as I am aware of.
The text was updated successfully, but these errors were encountered: