Ueberauth JSON API

[britton-jb]

Currently the identity provider will work as intended on the JSON, but the Ueberauth provider flow has a few sticking points, related to this discussion.

In my testing I'm able to properly implement the OAuth flow, and redirect the user back to the single page application, the current intended use case, but then getting a guardian token down to the client securely is proving problematic. Currently it looks like the best way to handle this would either by using the session, or by appending it the URL, the latter seeming like a very bad idea, and the former seeming a bit difficult for the API user.

Currently due to constraints in Ueberauth (referenced in the above discussion) this also will not handle a mobile app authenticating using for example Google and attempting to pass the token back to the server. It looks like the better way to handle this use case may be to use another OAuth library in tandem to authenticate using a token gathered by the client OAuth flow to generate a Guardian token.

Currently open to advice and suggestions, as I feel I may be missing something obvious here.

[britton-jb]

Based on the current constraints I'm thinking the best course of action will be to implement a SPA redirect that stores the token in the session, where the client can then retrieve it for usage.

[sgeos]

Just thinking out loud, but maybe you could offer some sort of redemption token that can be exchanged for the real token? Without properly thinking the flow through, it might be one more API call for a client without a session.

[britton-jb]

Yeah, that's the way the flow traditionally goes, just based on my last check (admittedly a while ago) ueberauth's sub-libraries don't support this flow.