search

nickredmark / ooth

User identity/authentication/accounts management microservice for node.js
https://nmaro.github.io/ooth/
MIT License
605 stars 65 forks source link

Standalone config confusion #23

Closed kev89431 closed 6 years ago

kev89431 commented 7 years ago

First I wanna say ty for starting this project. Following the integrated example, I made the curl request:

curl -XPOST http://localhost:3002/auth/guest/register

and the response is missing the token:

{"user":{"_id":"5a0bf5d9280f3c24fe626322"}}

For the response to includes the token I have to pass in standalone: true here https://github.com/nmaro/ooth/blob/master/examples/integrated/api/ooth.js#L11

I think it's confusing because standalone implying running ooth as a standalone server & I have to pass in standalone: true for the integrated example to work.

Going through the code, it looks like the only thing standalone config does is including the token in the response? I think you could remove the standalone config altogether & return the token in the response header by default.

/status should works with the token as well?

nickredmark commented 7 years ago

The idea is that if it is integrated you don't need any JWT token, because a cookie-based session is started.

nickredmark commented 7 years ago

More explanations: in the standalone mode I use JWT only on authentication to pass it to the api and create a cookie-based session there, then I drop it. That's why /status also doesn't return a token.

kev89431 commented 7 years ago

Thanks for explanations. This setup would work on web but not mobile or any non-cookie based auth.

Triet,

On Nov 15, 2017, at 3:28 AM, Nick Redmark notifications@github.com wrote:

More explanations: in the standalone mode I use JWT only on authentication to pass it to the api and create a cookie-based session there, then I drop it. That's why /status also doesn't return a token.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

nickredmark commented 7 years ago

A clarification:

With ooth you can authenticate with any strategy one might implement based on passport.js, including JWT, username/password, facebook login, google, oauth and so on.

If ooth is integrated, a cookie-based session is started. This surely works fine on mobile browsing. I'm not familiar with how mobile apps work - can't they use cookie-based sessions too? Remember that you can always start a session with any strategy including JWT (it would be pretty easy to create a plugin for that).

If ooth is standalone it returns a JWT that you can then pass to any external app.

Now the question is: given the above remarks, do you still need ooth to work with JWT instead of creating a session in an integrated scenario?