express - Auth0 LoopbackJS API access token using 3rd party login -


i have loopbackjs api hosted on domain (e.g. http://backend.com), third party authentication setup via auth0. have front-end hosted spa on domain (e.g. http://frontend.com)

loopback-component-passport seems work fine when front-end on same domain api, , sets userid , access_token cookies accordingly. however, front-end in production on different domain api, example api auth link like:

"http://backend.com/auth/auth0?returnto=" + encodeuricomponent("http://frontend.com")

the backend has used same auth pattern in loopback-passport-example, providers.json file specifies connection details auth0 (although have tried other social providers such facebook).

  "auth0-login": {     "provider": "auth0",     "module": "passport-auth0",     "clientid": "auth0_client_id",     "clientsecret": "auth0_client_secret",     "callbackurl": "/auth/auth0/callback",     "authpath": "/auth/auth0",     "callbackpath": "/auth/auth0/callback",     "successredirect": "/",     "failureredirect": "/login",     "scope": ["email"],     "failureflash": true   }

the front-end (http://frontend.com) has link on page redirect api authentication:

<a href="http://backend.com/auth/auth0">login</a>

clicking on link redirects auth0 properly, , can login. redirects specified target (http://backend.com or http://frontend.com, whichever specified). returnto query parameter seems work expected.

is there way capture access_token before redirecting front-end, , somehow communicate (e.g. query parameters, unless insecure).

after more investigation, settled on method use passing access token , userid loopbackjs backend, separate front-end. documented on github pull-request, using customcallback of passport-configurator.

other places have referenced this fork, issue #102, issue #14 , pull request #155.

there 2 options here, either use fork of loopback-component-passport (e.g. 1 referenced above) npm dependency, or provide customcallback passport configuration option documented.

i wanted little more control on format of url, ended customcallback method. in loopback-example-passport, inside /server/server.js there basic code passing providers.json passport configurator:

var config = {}; try {   config = require('../providers.json'); } catch (err) {   console.trace(err);   process.exit(1); // fatal } passportconfigurator.init(); (var s in config) {   var c = config[s];   c.session = c.session !== false;   passportconfigurator.configureprovider(s, c); }

this can replaced documented customcallback code, passport variable being assigned passportconfigurator.init():

var providers = {}; try {   providers = require('../providers.json'); } catch (err) {   console.trace(err);   process.exit(1); // fatal }  const passport = passportconfigurator.init(); object.keys(providers).foreach(function(strategy) {    var options = providers[strategy];   options.session = options.session !== false;    var successredirect = function(req) {     if (!!req && req.session && req.session.returnto) {       var returnto = req.session.returnto;       delete req.session.returnto;       return returnto;     }     return options.successredirect || '';   };    options.customcallback = !options.redirectwithtoken      ? null      : function (req, res, next) {       var url = require('url');       passport.authenticate(         strategy,         {session: false},         function(err, user, info) {           if (err) {             return next(err);           }            if (!user) {             return res.redirect(options.failureredirect);           }           var redirect = url.parse(successredirect(req), true);            delete redirect.search;            redirect.query = {             'access_token': info.accesstoken.id,             'userid': user.id.tostring()           };           redirect = url.format(redirect);           return res.redirect(redirect);         }       )(req, res, next);   };    passportconfigurator.configureprovider(strategy, options); });

in above example, have copied successredirect function used in passport-configurator.js, use same returnto query parameter. option within providers.json can set e.g. "redirectwithtoken": true, results in redirect auth strategies need external redirect.

one more final bit of code in case returnto redirect required. if exists query parameter, should added @ session level:

app.use(function(req, res, next) {   var returnto = req.query.returnto;   if (returnto) {     req.session = req.session || {};     req.session.returnto = require('querystring').unescape(returnto);   }   next(); });

now, if backend api @ url such http://api.com, , front-end hosted @ domain e.g. http://gui.com, authentication link can placed on front-end:

<a href="http://api.com/auth/facebook?returnto=http%3a%2f%2fgui.com">login!</a>

this result in api auth call, redirect returnto link access token , userid in query parameters.

potentially in future, 1 of issues or other pull requests merged provide more ideal method 3rd party domain redirection, until method work well.


-

Comments

Post a Comment

Popular posts from this blog

PySide and Qt Properties: Connecting signals from Python to QML -

i trying run simple pyside appliccation design made in qml. call function in qml python in separated thread. i have following qml view: import qt 4.7 rectangle { visible: true width: 100; height: 100 color: "lightgrey" text { id: datestr objectname: "datestr" x: 10 y: 10 text: "init text" font.pixelsize: 12 function updatedata(text) { datestr.text = qstr(text) console.log("you said: " + text) } } } here application: some imports.... #!/usr/bin/python import sys import time pyside import qtdeclarative, qtcore pyside.qtgui import qapplication pyside.qtdeclarative import qdeclarativeview the qthread worker.... #worker thread class worker(qtcore.qthread): updateprogress = qtcore.signal(int) def __init__(self, child): qtcore.qthread.__init__(self) self.child = child def run(self):
Read more

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

Image
when using devexpress, see error: devexpress.wpf.grid.infinitegridsizeexception unhandled message="by default, infinite grid height not allowed since grid rows rendered , hence grid work slowly. fix issue, should place grid container give finite height grid, or should manually specify grid's height or maxheight. note can avoid exception setting gridcontrol.allowinfinitegridsize static property true, in case grid run slowly." the problem dxgrid has infinite height. to fix, set height non-infinite. snoop absolutely invaluable this: if "height" xaml element infinite (i.e. 0 or nan ), can set using one of following: option 1: height="{binding path=actualheight, relativesource={relativesource mode=findancestor, ancestortype=uielement}}" option 2: verticalalignment="stretch" option 3: height="auto" hint: use verticalalignment="stretch" if child of grid <rowdefinition height=
Read more

scala - 'wrong top statement declaration' when using slick in IntelliJ -

Image
i'm porting project scala 2.9 2.10, therefore have use slick instead of scalaquery. i'm using slick 2.1.0 since supports ms access. according this tutorial , upgrade guide changed robs object class , added val robs : why error message wrong top statement declaration , how rid of it? edit: i'm new scala... according this question seems can't put val outside of methods or classes, right? code above directly in packge. right approach slick then? should move code in class or trait? according this changed val robs = tablequery[robs] to object robs extends tablequery(new robs(_)) {} . no warnings or errors anymore. :)
Read more