Manual OAuth 2.0 #16
Manual OAuth 2.0 #16
Conversation
…, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.'
|
Note, we've also been exploring using auth.js https://github.com/signalwire/call-fabric-client-beta/compare/joao/use_auth_js?expand=1 for the example/reference, maybe we want to show it more than rely on the lib, I dunno? |
| params.append('redirect_uri', process.env.OAUTH_REDIRECT_URI); | ||
| params.append('code_verifier', req.session.verifier); | ||
|
|
||
| const response = await fetch(process.env.OAUTH_TOKEN_URI, { |
There was a problem hiding this comment.
We have axios installed as well. I think for consistency, we should stick to one. Maybe we can remove the axios.
There was a problem hiding this comment.
Yeah, seeing that auth.js relies on fetch made we wonder why we use axios still, I can convert the other method and remove axios if we think removing it is fine.
IMO, The we need to choose the implementation based on this question. What is the audience for this app? If internal only, I think I like the manual approach better. if it's some thing to share with clients too, I'll prefer the Auth.js solution. The reasoning behind it is that as a reference for clients we should aim to define the best practices, and in my experience security/auth best practices is alway to use a well-known open-source implementation. Other wise we need to always stay on top of possible security issues with our implementation. |
Co-authored-by: Ammar Ansari <[email protected]>
Co-authored-by: Ammar Ansari <[email protected]>
|
Good points, this is public and will be likely shared with clients I think. That said, the oauth standard makes the client implementation fairly straightforward, it's not a custom auth scheme. We can start with this maybe and then continue to explore auth.js more? |
Implement the OAuth flow manually since the
client-oauth2library doesn't support PKCE for OAuth 2.0