The Github oauth tutorial is not OpenID Connect compliant.

[Natim]

As @jmandel described in his comment on the tutorial

In order to use GitHub sign-in safely, you need to ensure the token you pass to Kinto API endpoints is intended for Kinto. In an ideal world, GitHub would help with this problem by creating a signed token designed for the application to consume. This is what the ID token accomplishes in OpenID connect. Since GitHub does not do this for you, you would need to do it yourself.

Using Github Bearer Token to authenticate directly to Kinto without any specific scoping of the Bearer Token means that any application having a Github Bearer Token for the user can manage, read, add and delete her Kinto data. This is not acceptable for production use.

This remembers me a discussion we had a month ago in London with @michielbdejong where he explained me that RemoteStorage embedded an OpenID Connect compatible server in charge of generating RemoteStorage scoped specific Bearer Token.

How should we handle this for Kinto, what is the plan forward to have a better OAuth2 integration.

Thoughts?

[jmandel]

Fundamentally the challenge is that OAuth is designed as an authorization protocol. You can build an authentication protocol on top, but you have to be careful to get the details right (like OIDC). For details see http://oauth.net/articles/authentication/ by @jricher.

[leplatrem]

FWIW @ptgamr did https://github.com/ptgamr/kinto-github-token ;)