Add oauth docs #847
Add oauth docs #847
Conversation
✅ Deploy Preview for admiring-bhabha-7b1be9 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
bcbogdan
force-pushed
the
feat/oauth
branch
from
9cb4848
to
9308ff6
Compare
v2/oauth/introduction.mdx
Outdated
|
|
||
| For these specific instances we expose recipes that allow you to complete your setup. | ||
|
|
||
| :::info |
There was a problem hiding this comment.
| :::info | |
| :::caution |
v2/oauth/introduction.mdx
Outdated
|
|
||
| Also, the feature at the moment is supported just by the following **SDKs**: | ||
| - `supertokens-node` | ||
| - `supertokens-auth-react` |
There was a problem hiding this comment.
| - `supertokens-auth-react` | |
| - All of our frontend SDKs |
v2/oauth/introduction.mdx
Outdated
| The **Resource Owner** is an entity capable of granting access to a protected resource. | ||
| When the resource owner is a person, it is referred to as an **end-user**. |
There was a problem hiding this comment.
Its still not really clear what this means (at least for me). Maybe give more examples?
There was a problem hiding this comment.
We could say that this is usually the end user who is using a browser or a mobile app. It's an important distinction that this is not the app/browser/SPA
v2/oauth/introduction.mdx
Outdated
|
|
||
| #### Resource Server | ||
|
|
||
| The server hosting the protected resources, capable of accepting and responding to protected resource requests using **Access Tokens**. |
There was a problem hiding this comment.
What is a protected resource? Maybe give more examples?
There was a problem hiding this comment.
We could give the example of downloading a file or a chat log.
v2/oauth/introduction.mdx
Outdated
|
|
||
| #### Access Token | ||
|
|
||
| A token issued by the [**Authorization Server**](/#authorization-server), that then gets passed by the [**Client**](/#client) to the [**Resource Server**](/#resource-server) to gain access to protected resources. |
There was a problem hiding this comment.
Maybe here we should make it clear that with supertokens, there are two types of access tokens:
- SuperTokens session access token
- OAuth access token
And that in the docs, whenever we say just access token, we mean supertokens session access token, and whenever we say oauth access token its the other one. We should also state what these are here maybe
There was a problem hiding this comment.
Same thing goes for refresh token below
There was a problem hiding this comment.
Is the SuperTokens session access token actually used in the OAuth recipe flows? Or do users need to use the actual OAuth tokens?
There was a problem hiding this comment.
Oauth recipe flows uses oauth access token only. A user's application API can use either supertokens session access token or oauth access token. Other recipes like email verificaiton, totp, user roles etc (all non oauth recipes) use supertokens session access token only.
| import BackendSDKTabs from "/src/components/tabs/BackendSDKTabs" | ||
|
|
||
|
|
||
| # Reuse website login for desktop and mobile apps |
There was a problem hiding this comment.
Not sure how this page is helpful. The flow for mobile / desktop is very different compared to web apps from the point of view of which lib to use, how to use that lib etc. Once again, we will have to find example tutorial for mobile / desktop apps and link to those, and then add additional comments explaining to users how that tutorial would change in the context of supertokens.
There was a problem hiding this comment.
I think we should expand this and provide more concrete guidance on how to achieve this, but the main point of this (i.e.: you are re-using web sign-in for mobile) is correct.
| // You will have to initialize the OAuth2Client recipe | ||
| // for each of your previously created clients | ||
| OAuth2Client.init({ | ||
| clientId: '<CLIENT_ID>', |
There was a problem hiding this comment.
users will have multiple clients, so they need to be added here in an array?
There was a problem hiding this comment.
This will have to be updated for the current version types, I think we still had a single clientId/secret pair when @bcbogdan was writing it.
| // for each of your previously created clients | ||
| OAuth2Client.init({ | ||
| clientId: '<CLIENT_ID>', | ||
| oidcDiscoveryEndpoint: 'https://<AUTHENTICATION_SERVICE_DOMAIN>/.well-known/openid-configuration' |
There was a problem hiding this comment.
| oidcDiscoveryEndpoint: 'https://<AUTHENTICATION_SERVICE_DOMAIN>/.well-known/openid-configuration' | |
| oidcDiscoveryEndpoint: 'https://<YOUR_API_DOMAIN>/.well-known/openid-configuration' |
There was a problem hiding this comment.
also, is the path correct?
There was a problem hiding this comment.
no, it is: {api_domain}/{base_path/.well-known/openid-configuration
|
|
||
| </BackendSDKTabs> | ||
|
|
||
| ## 3. Initialize the recipe on the Frontend Applications |
There was a problem hiding this comment.
It needs to be very clear that this goes in the oauth provider frontend.
| </TabItem> | ||
|
|
||
| </BackendSDKTabs> | ||
|
|
There was a problem hiding this comment.
missing step of initing the oauthprovider recipe in the oauth provider frontend application.
There was a problem hiding this comment.
I think you can extract the part of setting up the OAuth provider as its own page. So after the Introduction section, you can have a page (before the use cases section) that says "Setting up OAuth provider" which talks about initing oauthprovider on the backend and frontend of the auth server, and talking about that there. So that the use cases only focus on the clients and dont have to talk about oauth provider setup again and again.
There was a problem hiding this comment.
One more missing part here is that there is no custom UI docs for how to setup an oauth provider with a custom UI instead of using our pre built ui
General TODO
AppInfoFormandCoreInjectorin every code snippets that show urlsBackendSDKTabs) that allows more languagesCode Samples/Instructions @porcellus
create clientAPI Response shape