Replies: 1 comment
-
When using an access token for authentication purposes, you need to take special care and double check that the access token really originated from your app. Otherwise, it becomes possible for some evil partty to harvest access tokens on an unrelated site and use those to login into yours. Have a look at the Facebook provider. It supports both Unfortunately, this is custom logic, to be implemented per provider. Would be happy to receive a pull request, provided a similar check is done. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Auth providers who provide mobile/frontend SDKs sometimes give you a client-side API that returns an
access_token
, essentially skipping the normal oAuth2-based "code" redirect flow. The headless API currently doesn't support this.For a client of mine that's only using Google I have implemented it by replacing the original provider with a subclass that also accepts the
access_token
parameter in theverify_token
method, but I feel like it might be a good candidate to discuss a way to do this generically across all providers?For reference, this is the current way I'm doing it:
I'd love for you to come up with a clean way of implementing this across all providers, but in the meantime if you're open to the above code I'm more than happy to submit a PR to include this in the existing Google provider at the very least.
Beta Was this translation helpful? Give feedback.
All reactions