Comments (8)
I have a hard time understanding your question and it has been 19 days. But would reading https://developers.facebook.com/docs/facebook-login/access-tokens#architecture help you?
The backend then authenticates (with Bell) that access token and would then return its own token from its own authentication strategy.
But, bell does not generate tokens...
So I only need bell as a authentication strategy that is taking an access_token from the request and authenticates it against my third party provider (facebook) and also gives me the user information and then I can do in my actual route handler whatever I want.
So if you have a long term token, why don't you just go to the graph endpoint of facebook and retrieve your data (or the debug endpoint). If it's not a valid token, it will refuse the request...
from bell.
Hi,
in the meantime I have implemented it myself. I know that Bell does not generate tokens, I would have done that manually. What I wanted to do is authenticate an request with a facebook token against the facebook api. So the "login" route would have had an authentication strategy that just checks if the provided access token is a valid facebook token and then fetches the user for it. I think that this is already part of bell in theory, but somehow not exposed, because most flows are browser based with redirects.
from bell.
I believe you did it correctly. Bell does not have to cover your entire use case. In this case, OAuth2, to the best of my knowledge, does not specify anything specifically for it. Some standards have been built around it by adding something like token introspection but it's not there.
It only specifies 4 different ways of acquiring a token:
- Implicit flow is for untrusted clients (your browser)
- Authorization Code (which Bell uses) does indeed do it through redirects amongst others.
- Client Credentials and Resource Owner password credentials are for other use cases.
Then, there are refresh tokens which are optional but are used for a different purpose. Acquiring an access_token with less privileges or exchanging an expired token for a new one.
By the way, in one of my applications I use the implicit code flow with the facebook SDK, and then pass that token to my server and then exchange it to a long lived one and store that. Would be interesting to see what a Bell API would look like to help you do refresh and can it be within the scope of bell...
from bell.
@ldesplat would it be possible to use the Facebook SDK to retrieve the bearer token from Facebook, and then pass that onto Bell... which would then create a session on the server-side? The redirect strategy doesn't work as well for mobile, where it would be preferable to use the Facebook SDK for this instead.
from bell.
@bmcmahen next time just create a new issue please. It's so easy to ignore closed ones. You can always link to another issue within your post.
I do the same exact thing in one project. I actually don't use Bell at all, in that project, since I only manage facebook and use their sdk with implict auth. You just need to exchange that token for a long lived one (pass in the token plus your app's client id and secret and facebook gives you the long lived token). Facebook docs are misbehaving this morning but the link used to be https://developers.facebook.com/docs/facebook-login/access-tokens#extending .
Bell could have a facility for this but very few providers support that and the http call is trivial and I don't see how you can get it wrong security wise.
Then just use something like hapi-auth-cookie
, your own version, or yar
with some sugar on top.
from bell.
Thanks @ldesplat - I ended up implementing something similar, using hapi-auth-cookie
on the server and verifying the iOS provided token using the Facebook graph api. Cheers, and thanks for the help.
from bell.
@KeKs0r thanks for your input. I'm new to hapijs and had the same question. Meanwhile I found this new package: https://github.com/yoitsro/hapi-access-token . Maybe we could all collaborate 👍
from bell.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from bell.
Related Issues (20)
- Support for idp with self signed certificates HOT 3
- Only node 12
- Require hapi 19
- Change plugin name to @hapi/bell
- Expose public API to refresh tokens HOT 2
- Replace Yahoo Social Directory Web Service HOT 2
- Issue with the meetup provider HOT 1
- "Failed obtaining twitch user profile" when using Twitch provider HOT 4
- Support functions for `provider.auth` and `provider.token` HOT 2
- Sign in with apple HOT 5
- Using for 3rd party tenants HOT 3
- docs: api page tutorial links to dead page HOT 1
- Improve the debugging experience when a payload is involved HOT 1
- Please document usage of local strategy
- Support client credentials as functions HOT 3
- Improve handling of rate limiting by Okta provider
- Add timeout configuration for requests
- Change callback path HOT 4
- Big cookie size
- Twitter auth no longer working HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bell.