DEV Community

Leny for BeCode

Posted on • Edited on

Introducing Oto, the man in the middle.

☝️ NOTE: this article is an revised version of one of my previous article on Medium.


As a developer, I love to use APIs.

Moreover, I love to use others’ APIs, and integrate them in my apps.

Like getting stuffs from GitHub, LinkedIN, allowing my users to see their data in my tools.

But I don’t want to ask my users their credentials for these services (and they wouldn’t probably give them!).

So, I have to use the OAuth2 protocol.

OAuth2 is a tool used by services to allow third-party apps’ developers (like me! I’m a third-party developer! Woot!) to access the services’ data of users, with their approval.

I will not describe OAuth2 in depth, but here’s the big picture: when you create an app, you need to register it on the service you want to use the API.

They will give you two important things: a public access id, which is not secret and can be stored in your code ; and a private access key, which is, huh, secret, and can’t be shared.

When one of your user needs to use the API in your app, they will be redirected on a login page outside your site, on the original service (the login page of GitHub, for instance). The user log himself, and the service redirect him on your app, with a unique code.

Then, your app will contact the service, with the unique code, your public access id and your private access key. The service know that everything’s okay, and will respond you with a token, that you will use for any request to the API.

And that’s all. It sounds complicated, but it’s quite easy.


But there’s a small problem: OAuth2 is not really designed to be used on client-side only apps, like SPA.

As I said, the private access key needs to stay… huh, private.

So… we need a server. But we don’t really want one, since we would like to have static apps.

That’s a tough one.

But what if I told you we can have a server… without a server?

We can use a serverless platform, like AWS Lambda: it’s basically a simple piece of code (a function), bound to an URL, that will be executed when the URL is touched. Simple as f*%.

And then, we can have a small piece of code that will know our private access key for OAuth2, and will make the last step of the challenge.
Let me introduce you oto, the man in the middle, the little piece of code to run that.

For now, it supports GitHub & LinkedIn, but I will add more services in the future.
You can run it locally, or simple use the serverless framework to deploy it on your AWS account.

And, last but not least, its able to handle multiple services and keys at once, simplifying your workflow!

Top comments (0)