Create a companion server that handles authorization_code flows
edjiang opened this issue ยท 9 comments
We can't implement Twitter, GitHub, LinkedIn, Slack, or other login types because we can't do authorization_code grants without a client secret. Client secrets are fundamentally insecure on mobile clients, so we need to create a companion server to help with the authentication request.
Do you see the server being one, single server that manages every one's tokens? Or a separate codebase that developers could stand up on their own? If the latter, what language do you think you will be implementing the server in?
I definitely want to do both, but I haven't planned exactly the approach I'd be taking.
If it's self-hosted, that reduces complexity of writing code but may be less convenient to use. If it's hosted, it'd be more convenient to use but it'll be more work to write, and open-sourcing it would be less useful since there'd be more work to get it set up.
I'd love to hear your thoughts though -- what would you find more useful?
I'll be writing it in Node.js.
@edjiang Why don't you make client secret parameter optional? For those who want to take the risk?
@onmyway133 so, I looked at it a bit more and realized that client_secret actually isn't required as per the OAuth spec for the Authorization Code grant type, so what I'm going to do is:
- Implement the authorization_code grant type as per spec.
- Keep it extensible so people can implement it with the client_secret if they want to.
- Get the server-side component out asap, and make it hosted!
As an update: work on Implicity, the server-side component to Simplicity, has started!
I'm going to be at WWDC / Altconf festivities over the next week, so not sure what velocity I'll be getting, but @saimaddali will be joining me to help build out Implicity!
How is it going? I would love to see Twitter supported by your Lib.
Unfortunately, I've been working on a lot of other stuff recently, so I don't think this will get done in the near future :(
+1
+1