Support async session extraction.

[jmoseley]

For certain cases (such as Strava [1]) getting the session requires an asynchronous step, where the server uses a temporary code to get an access token. This allows the session extraction to do that step.

[1] https://developers.strava.com/docs/authentication/

[mattmazzola]

The authentication docs you linked to look like they only support Authorization code flow of OAuth. Web applications and thus, this library cannot support that. Notice they mention client_secret and code, both of which must be sent to server to be kept secret.

As for supporting async session extraction. I think this is just semantics of what your application's definition of a session is vs what this libraries definition of a session is. In general it should have the minimum claims for identity such as user id and the bearer token to be used for future requests. Other information like name, email etc may or may not be allowed to be returned in the redirect url. In Microsoft's case they support OpenId Connect which does give this information through a special ID token.

If they do not give this information and you have to make another request such as user profile data, I think it would be more appropriate for this to be defined by your application instead of being part of the provider. Or wrap the provider if you need, but it only seems to add complexity where it's not necessary. The reasoning is at that point the OAuth flow is done, you have a token, and now simply making API calls and this API call for user data isn't any more special than the others.