Allow providing accessTokens directly

[etler]

It's possible to get access tokens from oauth providers through their javascript APIs. Because getting access tokens this way does not require browser redirects you can create an inline login screen by making the API call on the client, then passing the response to your server through an ajax call.

It's possible to get it to work with passport as is by replicating some of the authentication code in the request that provides the accessToken but it requires copying and pasting large chunks of anonymous functions. If passport provided a way to accept an accessToken directly it could be done much more cleanly.

[jaredhanson]

Could you post some links to providers that have such APIs (and the docs for those APIs). It'd be great to have strategies for this.

Two strategies I'm aware of for authenticating issued tokens are:
https://github.com/drudge/passport-facebook-token
https://github.com/drudge/passport-twitter-token

These are mostly intended for iOS and Android apps that need to transfer credentials to a server. I'd be curious to know how JavaScript APIs handle this securely.

[etler]

The JS api method in particular is documented here. The getLoginStatus function takes a callback that provides you with an authResponse object with your accessToken, expiresIn, signedRequest, and userID, all on the client side. I'm not sure how secure this method is, but hopefully it is because Facebook does it...

Digg has a no-redirect login and after snooping through their network requests, I think they use the facebook javascript api, then pass the access token they get from that to their servers. These are outgoing requests from the site after logging in:

Logging in with facebook:
Request url:

    http://digg.com/session

Request form data:

    login_type:facebook
    _xsrf:################################
    access_token:########################################################################################################################
    expires:####
    cb:###############

Logging in with twitter:
Request url:

    http://digg.com/session

Request form data:

    login_type:twitter
    _xsrf:################################
    key:##################################################
    secret:##########################################
    screen_name:#######
    twitter_user_id:########
    cb:###############

The data they pass for facebook login looks like the same stuff from the facebook api. I'm not sure what they're using for twitter. They're not using https for their session url which isn't good.

I've done this before and it allows you to login a user without any redirects. I'd be good to know if this is safe, and if so, it'd be cool to have an official non hacky way of doing it (I had to do some madness with re-arranging callbacks).

[jaredhanson]

Cool, thanks for the info. I'll investigate this further and see how it can be implemented as a strategy.

[koenpunt]

This has been open for a while; is this by any chance already possible?