I read on the Internetz that it's some kind of a protocol for authorization.
You can use it to give people access to your data without giving them the password to that data!
In 2005 Blaine Cook and Chris Messina were unhappy with OpenID, so they started to work on Yadis (yet-another-distributed-identity-system)
Blaine Cook
Chris Messina
Eran Hammer worked on the OAuth 2.0 specification before he suddenly quit for many reasons.
Eran Hammer
I read on the Internetz that it's some kind of a protocol for authentication.
OpenID is an authentication protocol.
OAuth is the authorization protocol.
That's pretty simple, huh!
It's actually not that simple, but do you even care?
response_type | ask from user |
client_id | ask from user |
redirect_uri | ask from user |
scope | ask from user |
state | generate |
nonce* | generate |
prompt* | depends on request |
const crypto = window.crypto || window.msCrypto;
const array = new Uint32Array(5);
const randomValues = crypto.getRandomValues(array);
let base36RandomValue = '';
for (let i = 0; i < randomValues.length; i += 1) {
base36RandomValue += randomValues[i].toString(36);
}
return base36RandomValue;
Option | Decision | Reason |
---|---|---|
XMLHttpRequest | NO | unable to catch 302 |
FetchAPI | NO | unable to catch 302 |
iframe | Not really | styling and UX issues |
pop-up | Maybe | UX and IE11 bug |
hard redirect | YES | the only acceptable option |
Storage | Decision | Reason |
---|---|---|
session storage | NO | new tabs lose access to the token |
cookies | Maybe | CSRF possibilities |
local storage | YES | XSS-vulnerable, but risk is acceptable |
websql | NO | no universal support |
Option | Decision | Reason |
---|---|---|
XMLHttpRequest | NO | unable to catch 302 |
FetchAPI | NO | unable to catch 302 |
iframe | YES | the only acceptable option |
pop-up | NO | UX and IE11 bug |
hard redirect | NO | hard redirect is visible |
connect.signIn();
People love convenience. They all specify their app's homepage as the redirect_uri which makes the library more complex.
myapp.com
auth endpoint
connect.signIn();
myapp.com
redirect to
redirect to
execute script
execute script
auth endpoint
redirect to
import {connect} from './connect';
fetch('https://api/users', {
method: 'GET',
headers: new Headers({
Authorization: connect.getAuthHttpHeader()
// "Bearer dbl1h9t1g3z0rbctal812"
})
});
Didn't want to hi-jack the XMLHttpRequest API,
so it's all manual...
import {Connect, ConnectProvider} from 'connect-angular1';
import {connect} from './connect';
angular.module('app', [Connect])
.config((connectProvider: ConnectProvider) => {
connectProvider.use(connect);
});
AngularJS is easy thanks to interceptors,
although there are caveats...
import {NgModule} from '@angular/core';
import {ConnectModule} from 'connect-angular';
import {connect} from './connect';
@NgModule({
imports: [ConnectModule.forRoot(connect)]
})
export class AppModule {}
Interceptors in Angular do not exist.
The HTTP class is extended instead.
People are really stupid. They manage to figure out where the access_token is stored (localStorage) even if it is not documented. Then they parse it, prefix with "Bearer", add to query params, send to their API...
And then
they complain
to support...
Existing solutions work from the inside of the bootstrapped framework, allowing it to render content before redirecting.
We have researched:
if (typeof window.stop === 'function') {
window.stop();
} else if (typeof document.execCommand === 'function') {
window.document.execCommand('Stop');
}
Unfortunately this is problematic because it causes a bug in Chrome where some assets disappear completely.
And to all the guinea pigs beta testers.