DEV Community

OAuth Simplified

simo on December 10, 2018

We often need to implement some sort of login functionality in our web apps, or authorize our app to access the user's data programmatically. Hist...
Collapse
 
thepassle profile image
Pascal Schilp

This looks very promising, adding authentication to my side projects is always the biggest hurdle and a lot of the passport options seem outdated. Hopefully this is as plug and play as it looks.

Is there a source code for the example app that you posted? I saw a couple of demos in the repo, but i didnt specifically see the source code for the example app you posted. (this one: grant.outofindex.com)

Thanks for sharing!

Collapse
 
simov profile image
simo • Edited

Hi, Pascal, the actual source code of the example app isn't available yet, but there is really not much into it. Actually the info on the index page of the app (grant.outofindex.com) outlines just about everything.

Here is the example you are looking for: github.com/simov/grant/tree/master...

If you inspect the example app you'll see that I have exactly that - an HTML form that POST's to the /connect/[provider] route.

Also you may find this comment useful: github.com/simov/grant/issues/61#i...

Hope that helps.

Collapse
 
thepassle profile image
Pascal Schilp • Edited

The reason I asked is because that issue is from back in 2016, and the explanation at grant.outofindex.com links to github issues and bits of documentation. I would've loved to see the source code of the example app to see it all pieced together. Any chance you could still share it somehow?

Thread Thread
 
simov profile image
simo

My stack consists of NginX and NodeJS+Express on the server, and Mithril in the browser. I also have separate scripts for building the config, as you can imagine there is a lot of configuration for 180 providers with all their scopes, custom fields and so on. It's fairly specific to my taste and needs, and while the code is utterly simple it was never meant to be shared as something like an 'app' that people can look and learn from.

Also what if you want to see a browser side implementation with React? Well, no luck then, I don't have any. And while the info may be a bit scattered across a few examples and sections of the docs - it's actually a fairly trivial task to implement for any web developer.

If you have any specific questions, I'm always ready to help!

Thread Thread
 
simov profile image
simo

Hi, @thepassle, I just published my new article about Grant:

Hopefully this answers a question or two.

Thread Thread
 
thepassle profile image
Pascal Schilp

Hey! Thanks for getting back to me, i'll be sure to check it out

Collapse
 
harrisonkugler profile image
Harrison Kugler 🚀🏄

Looks awesome, I am currently building a PWA with sails.js and have been looking into using passport, but this seems like a much more straightforward solution.

Collapse
 
sebastiandg7 profile image
Sebastián Duque G

Hi. I'm currently getting the thing about OAuth/2. Grant purpose is to easily setup OAuth authentication with OAuth2 providers, such as Google, Twitter, Facebook, OpenID... Etc. However, what if I want my app itself to be an OAuth2 provider? Does Grant help with this?

Collapse
 
simov profile image
simo • Edited

Hi, Sebastian, Grant is an OAuth Client. Have a look at NPM, there should be at least a few good provider implementations.

Collapse
 
shixilun profile image
shixilun

Too bad, I had been hoping for a simplified explanation of OAuth. You still have to send a password for authorization, so I don't see how OAuth is an improvement over that.

Collapse
 
simov profile image
simo

When website owners use OAuth for authentication they don't have to deal with storing the user's credentials in their own database. They simply redirect the user to the OAuth provider's website - the password is entered only once and only there.

When app developers use OAuth for perpetual authorization they only send an access token with each and every request, but not the actual password of the user.

In both cases the third-party never knows the actual password of the user.