Comments (5)
Actually, am I totally confused here? Doing some more reading, I'm now thinking that token_url
should be the GitHub URL that yew-oauth
will use to get tokens? Is that true? Have I got this thing totally turned around? Many apologies if I have.
from yew-oauth2.
OAuth2 can be quite confusing :) … The redirect URL is sent to the SSO server (GitHub in your case) so that the SSO server know which URL to redirect the user, once the authentication is complete. Part of this is the "code".
Now in order to ensure that the user doesn't get redirected to a malicious site, you configure a list of allowed (redirect) URLs on the SSO side.
The redirect URL normally is your application which started the whole login process. It then gets called back, including the "code", which it internally (by doing an HTTP request in code, JS or WASM) trades for an "access token", using the "token URL".
So:
- The redirect URL should be the URL of your application
- The token URL must be the token URL to trade the code for an access token, for github:
https://github.com/login/oauth/access_token
(also see: https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#2-users-are-redirected-back-to-your-site-by-github)
This also means, that the "token URL" can never be optional.
from yew-oauth2.
Thank you so much for your help. I must say I've been really surprised at how confusing this whole OAuth thing has been for me. I've been adjacent to people doing OAuth in the past, and felt like I at least roughly understood what they were doing. Now that I'm trying to deal with it directly (& in a quite different environment), it's clear that I didn't understand nearly as well as I thought I did.
You've helped a lot here, and hopefully I can leverage that to get over this hump in my project. Thanks!
from yew-oauth2.
Sorry to take up more of your time, but I'm still befuddled and I'm hoping you could clarify something for me, @ctron.
The redirect URL should be the URL of your application
I think this is a problem if I want to have a "pure" Yew app deployed on GitHub Pages. I can't have my Yew app be the callback (redirect URL) can I? And even if I can, I'm not "supposed" to do that because then my tokens are in the browser and potentially at risk?
My original vision was to:
- Write my web app using Yew and deploy it as a SPA using GitHub Pages.
- I was hoping I wouldn't need any server infrastructure (everything that's relevant is on GitHub through Pages and their API).
- When I got to the OAuth part of the puzzle, it seemed like I needed at least some (very limited) server infrastructure, and I was hoping to use Cloudflare Workers (or some other "serverless" service) to play the role of the server. And this is where I've gotten all bogged down.
When I try to put the URL for my Cloudflare Worker in as the redirect URL, I always get a mismatched URL error from GitHub, even though the URLs seem to be to be identical.
Do you have a sense of how deep a swamp I've wandered into? To make it work, will all the requests have to go through Cloudflare so that "the URL of your application" will be the Cloudflare worker URL?
I feel like I've read 72.8% of the Internet and run a whole host of examples, and none of them seem to quite line up with what I'm trying to do, and I can't figure out if I'm almost there or tilting at windmills. Sighz.
I realize that this isn't really a yew-oath2
"problem", but I'm not sure what the fundamental issue is or which community to go ask for help. Thanks a ton for your time.
from yew-oauth2.
I think you should be able to do that. The Patternfly Quickstart application is also hosted as a GitHub Pages application. And you can use this as a callback too (unless GitHub prevents you from doing so).
From a token perspective I don't think this is a problem either. Because the token is only "stored" in the browser session (not the "local" storage, not as a cookie). So even other tabs don't know about this token. Also, to my understanding, the session store is different for each origin. So you would get the same storage for you.github.io
, but that is content that you actually control.
Also see: https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage
from yew-oauth2.
Related Issues (18)
- Authentication State Doesn't Persist Through Page Refresh HOT 7
- Router seems to work fine without the router feature HOT 2
- Client secret param
- Add support for the Next (after 0.19) version of Yew HOT 12
- Provide a way to redirect when not logged in
- Notes on using examples HOT 3
- Supporting Google OAuth2 HOT 5
- OpenID Connect Client authentication HOT 1
- Store and Reuse AccessToken for Silent Login HOT 1
- redirect_uri_mismatch HOT 7
- Not configurable 'redirect_url' for a openidclient HOT 5
- Support yew 0.21 HOT 1
- Time not implemented on this platform on yew-oauth2-example HOT 3
- Using Auth0 as IDP and manage on Client the redirection. HOT 17
- post_login_redirect doesn't actually redirect if the callback is not used HOT 4
- How to retrieve additional claims from the ID token? HOT 4
- Refresh of access token issue HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yew-oauth2.