Clever Geek Handbook

Returns JWT token to javascript SPA from oauth login

I am developing a javascript spa in vue.js that will eventually become a Cordova application. And also an API backend built with skylight.

I am trying to provide a login using Facebook and Google. I added the laravel social media package and created a redirect and callback route. I created a page in my spa with login buttons that redirect to my API. The user is redirected to facebook. Oauth: login mechanism, callback route handling function looks something like this

public function handleProviderCallback($provider)
{
  $oauthUser = $this->socialiteManager->with($provider)->stateless()->user();

  $userEntity = $this->repository->findOrCreateOauthUser($oauthUser);

  $providerEntity = app()
    ->make('em')
    ->getRepository('Entities\Social\Provider')
    ->findOneBy(['name' => $provider]);

  if(is_null($providerEntity))
  {
    throw new \Exception('Oauth Provider not found');
  }

  $socialAccountEntity = app()
    ->make('em')
    ->getRepository('Entities\Social\SocialAccount')
    ->findOrCreateSocialAccount($providerEntity, $oauthUser, $userEntity);  

  $token = $this->auth->fromUser($userEntity);

  $resource = $this->item($token)
      ->transformWith($this->transformer)
      ->serializeWith(new ArraySerialization())
      ->toArray();

  return $this->showResponse($resource);
}

It basically gets the oauth user, finds or stores it in the database, finds or stores information about his social account,

$token = $this->auth->fromUser($userEntity);

It then authenticates them with a JWT issuing a token. Which is then serialized and returned as a JSON response.

The problem is that the answer is being given while on the backend application, I never went back to the javascript SPA.

Instead of returning JSON, I could do some redirects like

return redirect()->to('/some-spa-callback-route');

But does the API need to know the location of the SPA? and how would that work when migrating a SPA to Cordova, since the mobile app won't have a URL?

I think that

The social provider must redirect directly to the SPA, after which he must make another request, exchanging the authorization code for a JWT token.

In this it redirects to the SPA with a query string containing a token that does not appear to be safe.

or c sends some type of cookie back.

And I still don't understand how to actually redirect my API to a mobile app.

+5


source to share


2 answers


Eventually I got the following login

User is sent to Oauth provider Oauth provider returns access token to client client sends access token to my api my api sends renewal request to Oauth provider Oauth provider checks token and returns new to api my api will exchange access token for jwt token my api returns jwt token to client



In my opinion this is the only correct way to authenticate SPA apps and it is important to update the Oauth token that the client provides and not blindly exchange for jwt as you cannot trust the client and is better than issuing redirects from the api which is not very nice

+3


source


Instead of dealing with two services, your spa should talk to one authentication service in your backend. You register your service as an oauth callback and you handle oauth / jwt as you described. Your authorization service can also be the decision point to re-authenticate users. Since your frontend links directly to your server, you can return the json payload back to your web / mobile subscriber.



0


source






More articles:


All Articles