Using pow for desktop native apps? about pow HOT 9 CLOSED

For google apps authentication, you should use PowAssent. It has a google strategy that you can use. What will you build the native app with? I assume you won't need phoenix, ecto or plug but only some light logic for OAuth 2.0 auth flow?

from pow.

An oauth login client was written in gdscript which is godot game engine's internal scripting language. This also convertible to c++.

What my first prototype did was use keycloak as an openid server and then have the game connect to the keycloak endpoints using the oauth client. Then, the keycloak site triggers a google accounts login. This authenticates keycloak and google. My second future prototype is to have the keycloak and elixir / phoenix working.

This isn't ideal because it's not a pure erlang / elixir solution. The best situation is to also have the openid server be in elixir, but there doesn't appear to be any openid server implementations.

The idea is the game client connects to pow's openidc server endpoints and have the pow server trigger google logins. I have no idea how to do that.

from pow.

Ah, I don't know anything about godot, so any information on how the flow works would help me understand your situation. Is OpenID required, or do you just need to authenticate users with their Google account?

If OpenID Connect is required, then I've built an OAuth 2.0 provider for elixir that could be worked into support OpenID Connect protocol as, AFAIK the only difference is nonce validation and JWT id token. You would also need to set up the flow so it'll redirect to google for auth.

Using Pow may be easier. If you wouldn't need OpenID, then you only have to set up your server with PowAssent, using the Google strategy. This will authenticate and register users.

from pow.

The Godot client is an implementation of https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthConsoleApp/OAuthConsoleApp/Program.cs which is a standard native oauth client.

The client can't point to the google token endpoints because the elixir website won't be authenticated. So it must be an OpenID server. This is the double authentication.

The OAuth 2.0 provider only seems to support password and username authentication. The system should redirect to Google accounts or any of the supported PowAssent providers when the game opens the browser to call the authorization endpoint.

PowAssent cannot be used from the client game because there's no web browser. Providing a[n] embedded browser view is also banned from Google Accounts according to the docs.

Brief description of the flow in the next message.

from pow.

• Start redirect server at localhost with a random port
• Generate 32 + 32 state and code verifier bytes
• Call openidc provider authorization endpoint.

string.Format("{0}?response_type=code&scope=openid%20profile&redirect_uri={1}&client_id={2}&state={3}&code_challenge={4}&code_challenge_method={5}",
                authorizationEndpoint,
                System.Uri.EscapeDataString(redirectURI),
                clientID,
                state,
                code_challenge,
                code_challenge_method);

• Open browser uri using the os
• The authorization endpoint redirects to Google.
• The authorization calls the redirect.
• Shutdown listener
• Check code from browser (redirect browser request)
• Exchange code for tokens
• Use bearer token to go to userInfoEndpoint to get Email / Name

Future:

• Use bearer token to login to elixir servers.

Edited: For the keycloak implementation there is no secret. So when exchanging the code for tokens, the secret is empty. Note that the redirect url must work for localhost:random_port

Edited: There's also a refresh flow.

from pow.

Thanks! I found this one helpful too: https://developers.google.com/identity/protocols/OAuth2InstalledApp

So the OAuth 2.0 provider only requires that a resource owner exists. It could be set after google authentication as it would be in your case. ExOauth2Provider doesn't have any expectations for how the resource owner is authenticated, just that it exists.

If you have more than one application connecting to the same server it's definitely the way to go. You can combine Pow/PowAssent and ExOauth2Provider to make the work easier, but you'll have to set up the controller to handle the auth flow from the app to google and back.

You could also skip the OAuth 2.0 setup on your server entirely if you only ever have one app, and instead do a custom validation check in your app. You could use JWT or Hawk in this case, and send a signed token back that can be verified both in the client and on the server.

from pow.

I've decided to investigate using ExOauth2Provider with Pow/PowAssent

Can you go into more detail how to implement "controller to handle the auth flow from the app to google and back"?

From my interpretation:

1. The authorization endpoint accepts a registered clientID and request[ed] scopes
2. Triggers the pow / pow assent google login
3. Insert google auth resource owner into the database?
4. Store scope info in the database?
5. Callback the 127.0.0.1:random_port with the code.
6. The game client calls the token endpoint.
7. Exchange code for token.
8. Use bearer token to identity the game.

Future: refresh flow

from pow.

Yeah, so the controller you build, will basically take care of the auth flow instead of using ExOauth2Provider, or OAuth at all.

What you will do instead is something like the following:

1. Your app has will open browser with your endpoint and callback uri with random port
2. The controller will then use PowAssent to send the user to google for auth
3. When the controller gets callback from google auth, it'll do all the work of storing token, user, etc. Also, an auth token will be generated for the user in this step.
4. The controller will then redirect the user to the callback uri with the auth token. This auth token could be signed or encrypted as a JWT or Hawk token for security.

This way you get around having to use OAuth 2.0. Obviously you would need to build the gdscript, but all you need is already in https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthConsoleApp/OAuthConsoleApp/Program.cs

This is one way of doing it. If you still prefer to keep OAuth 2.0, then you'll instead have to build the controller around first using PowAssent for auth, and then using ExOauth2Provider for handling the request. You should use the native redirect method, and then ensure in your controller that the user gets redirected back to your dynamic uri with the auth code.

from pow.

I think this has been resolved now.

from pow.