search

bluesky / tiled

API to structured data
https://blueskyproject.io/tiled
BSD 3-Clause "New" or "Revised" License
56 stars 48 forks source link

OAuth authorization for third party applications #603

Open dylanmcreynolds opened 10 months ago

dylanmcreynolds commented 10 months ago

We recently had a white-board session with the MLExchange team where we outlined a path for tiled to be used as a content provider for a third party application.

As a standalone service, Tiled currently contains the functionality to Authenticate using OIDC flows and make Authorize users to interact with data controlled by Tiled. However, applications like MLExchange control their own Authentication, but want to use one or more Tiled instances as data services. We are all getting used to this as users...I'm in one web application, and it interacts with another application (like Google Drive or GitHub), and I am presented with an approval page that asks my approval for the first application to interact with the second application as me. 

---
title: Get Tokens
---

sequenceDiagram
    User ->> Browser: get data
    Browser ->> WebApp: get data 
    WebApp ->> Tiled: check tokens
    Tiled ->> Browser: Redirect to Tiled Login Page
    Tiled ->> Browser: Redirect to Tiled Authorization Page
    Tiled ->> Browser: Redirect to WebApp with code
    Browser ->> WebApp: send code to web app
    WebApp ->> Tiled: send code and client_id/client_secret
    Tiled -->> WebApp: send tokens
    WebApp ->> WebApp: persist tokens for user
    WebApp ->> Tiled: get data with tokens
    Tiled -->> WebApp: Rich Data Goodness!

I think that Tiled supports MOST of this already, but it does not have the UI right now for the authorization page. Submitting this issue to capture the conversation and as a place to plant out the work needed.

dylanmcreynolds commented 10 months ago

Just adding some offline conversations with @danielballan on this topic. What are the necessary configurations on the Tiled to establish an "app"? If we go all out an support "Apps" in the same way at, say, GitHub then we might have a new configuration in a tiled instance called for apps that lets us store client_id, client_secret, Hompage URL, redirect url. Then it's up to the client code to keep the secret secret.

dylanmcreynolds commented 4 months ago

This is something that we're starting to look at again, using JupyterHub and its authentication as the WebApp.

danielballan commented 4 months ago

Coincidentally, this came up on our side too. @mrakitin and @hyperrealist have a use case very similar to the dash app use case.