Document how to bind to `next-auth` / `authjs` ?

Question

Document how to bind to `next-auth` / `authjs` ?

stephane-segning opened this issue 2 years ago · 3 comments

stephane-segning commented 2 years ago

What problem does this address?

I want my WooCommerce users to connect to my application using NextAuth through my Wordpress.

What is your proposed solution?

I used Generic OAuth2 using Auth0. But in development mode it's a nightmare.

What alternatives have you considered?

I want to use site token but there's no doc for that

Additional Context

No response

Answer 1 · 2023-04-05T13:11:32.000Z

Thanks for this @stephane-segning . I'm in the process of rewriting the example docs, and plan to add examples both for using the SiteToken and for using ~~NextAuth~~ AuthJS, and should have them committed to the repo soon.

PS: this issue qualifies for my WPGraphQL Spring Cleaning campaign, where I'm donating dev hours to WPGraphQL projects for every issue/PR opened between now and April 31st. If you're interested, let me know via the link where you want the time donated to.

Answer 2 · 2023-04-05T13:13:02.000Z

Interim Tl;dr

The SiteToken is basically a passkey that allows you to authenticate as any user. You set the key in the settings, and then pass it in a server side mutation (so as not to expose it to the users). Due to the security implications, you need to have CORS set to limit unauthorized requests (so if you're testing from localhost, make sure to add it to the allowlist!)

This is perfect for client-side authentication libraries like NextAuth. Basically, you would use one of their providers, and if they successfully authenticate, you'd then send some resource identity (user id, email, whatever) that next-auth give you to the SiteToken provider, which will match it to the WP user you want.

A more secure approach, but requiring significantly more JS code, would be to create your own next-auth provider (e.g a Credentials provider for PASSWORD-type logins. you'd await your login mutation in the authorize() callback). But at that case, you might be better served by using a session library like iron-session, instead of an authentication library like next-auth that also happens to handle session management.

If you've got specific implementation questions until I get the docs up, feel free to tag me in the WPGraphQL Slack.

Answer 3 · 2023-04-22T12:07:08.000Z

Hey @stephane-segning @imjilk would love your feedback on #63 if you have the time 🙏
(even if its already merged by the time you see this - there's always room for improvement!)