-
Notifications
You must be signed in to change notification settings - Fork 4
Reciprocal OAuth2 authorization explainer
Will Murphy edited this page May 26, 2021
·
5 revisions
In Immers Space, each immer serves as both an OAuth2 authorization server and an OAuth2 client. When users log into the same immer their account is registered on, their "home immer," that local immer serves as a both the client and the authorization server. When a user visits a different immer, that destination immer will act as a client to the user's home immer authorization server in order to connect with their account, fetch their avatar, and post updates.
It can get pretty mind bending, so here's an explainer of the flow, which currently uses the implicit grant pattern.
At home
- User arrives in a room
- Login popup points to immer authorization endpoint (
/auth/authorize
) to request access token withredirect_uri
set to return to room and the immer'sclient_id
- Request redirected to immer login (
/auth/login
) - User enters their Immers Space handle
- Recognized as local account, prompt for password
- Return to authorization endpoint (
/auth/authorize
) - Authorization granted automatically because client and server are the same
- Redirect to
redirect_uri
to return to room with access token
Abroad
- User arrives in a room in destination immer
- Login popup points to destination immer authorization endpoint (
destination.com/auth/authorize
) to request access token, withredirect_uri
set to return to room and the destination immer'sclient_id
- Redirected to destination immer login (
destination.com/auth/login
) - User enters their Immers Space handle
- Recognized as remote account, redirect to home immer authorization endpoint (
home.com/auth/authorize
) with originalredirect_uri
and the destination immer'sclient_id
- Redirect interrupted with redirect to home immer login (
home.com/auth/login
) - Recognized as local account, prompt for password
- Resume redirect to home immer authorization endpoint (
home.com/auth/authorize
) - Authorization grant dialog for destination immer to access account
- Redirect to
redirect_uri
to return to destination immer with access token for home immer