-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add oauth docs #847
base: master
Are you sure you want to change the base?
Add oauth docs #847
Conversation
✅ Deploy Preview for admiring-bhabha-7b1be9 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
9cb4848
to
9308ff6
Compare
v2/oauth/introduction.mdx
Outdated
|
||
For these specific instances we expose recipes that allow you to complete your setup. | ||
|
||
:::info |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:::info | |
:::caution |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved
v2/oauth/introduction.mdx
Outdated
|
||
Also, the feature at the moment is supported just by the following **SDKs**: | ||
- `supertokens-node` | ||
- `supertokens-auth-react` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `supertokens-auth-react` | |
- All of our frontend SDKs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved
v2/oauth/introduction.mdx
Outdated
The **Resource Owner** is an entity capable of granting access to a protected resource. | ||
When the resource owner is a person, it is referred to as an **end-user**. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its still not really clear what this means (at least for me). Maybe give more examples?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could say that this is usually the end user who is using a browser or a mobile app. It's an important distinction that this is not the app/browser/SPA
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved
v2/oauth/introduction.mdx
Outdated
|
||
#### Resource Server | ||
|
||
The server hosting the protected resources, capable of accepting and responding to protected resource requests using **Access Tokens**. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is a protected resource? Maybe give more examples?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could give the example of downloading a file or a chat log.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved
v2/oauth/introduction.mdx
Outdated
|
||
#### Access Token | ||
|
||
A token issued by the [**Authorization Server**](/#authorization-server), that then gets passed by the [**Client**](/#client) to the [**Resource Server**](/#resource-server) to gain access to protected resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe here we should make it clear that with supertokens, there are two types of access tokens:
- SuperTokens session access token
- OAuth access token
And that in the docs, whenever we say just access token, we mean supertokens session access token, and whenever we say oauth access token its the other one. We should also state what these are here maybe
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thing goes for refresh token below
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the SuperTokens session access token
actually used in the OAuth recipe flows? Or do users need to use the actual OAuth tokens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oauth recipe flows uses oauth access token only. A user's application API can use either supertokens session access token or oauth access token. Other recipes like email verificaiton, totp, user roles etc (all non oauth recipes) use supertokens session access token only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved
import BackendSDKTabs from "/src/components/tabs/BackendSDKTabs" | ||
|
||
|
||
# Reuse website login for desktop and mobile apps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure how this page is helpful. The flow for mobile / desktop is very different compared to web apps from the point of view of which lib to use, how to use that lib etc. Once again, we will have to find example tutorial for mobile / desktop apps and link to those, and then add additional comments explaining to users how that tutorial would change in the context of supertokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should expand this and provide more concrete guidance on how to achieve this, but the main point of this (i.e.: you are re-using web sign-in for mobile) is correct.
// You will have to initialize the OAuth2Client recipe | ||
// for each of your previously created clients | ||
OAuth2Client.init({ | ||
clientId: '<CLIENT_ID>', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
users will have multiple clients, so they need to be added here in an array?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will have to be updated for the current version types, I think we still had a single clientId/secret pair when @bcbogdan was writing it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved
// for each of your previously created clients | ||
OAuth2Client.init({ | ||
clientId: '<CLIENT_ID>', | ||
oidcDiscoveryEndpoint: 'https://<AUTHENTICATION_SERVICE_DOMAIN>/.well-known/openid-configuration' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oidcDiscoveryEndpoint: 'https://<AUTHENTICATION_SERVICE_DOMAIN>/.well-known/openid-configuration' | |
oidcDiscoveryEndpoint: 'https://<YOUR_API_DOMAIN>/.well-known/openid-configuration' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also, is the path correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, it is: {api_domain}/{base_path/.well-known/openid-configuration
|
||
</BackendSDKTabs> | ||
|
||
## 3. Initialize the recipe on the Frontend Applications |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It needs to be very clear that this goes in the oauth provider frontend.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved
</TabItem> | ||
|
||
</BackendSDKTabs> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing step of initing the oauthprovider recipe in the oauth provider frontend application.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can extract the part of setting up the OAuth provider as its own page. So after the Introduction section, you can have a page (before the use cases section) that says "Setting up OAuth provider" which talks about initing oauthprovider on the backend and frontend of the auth server, and talking about that there. So that the use cases only focus on the clients and dont have to talk about oauth provider setup again and again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more missing part here is that there is no custom UI docs for how to setup an oauth provider with a custom UI instead of using our pre built ui
General TODO
AppInfoForm
andCoreInjector
in every code snippets that show urlsBackendSDKTabs
) that allows more languagesCode Samples/Instructions @porcellus
create client
API Response shape