search

omab / python-social-auth

Social auth made simple
http://psa.matiasaguirre.net
BSD 3-Clause "New" or "Revised" License
2.83k stars 1.09k forks source link

Single page application strategy #1063

Closed arol closed 7 years ago

arol commented 7 years ago

Hi everyone.

I'm developing an app that it's composed by a standalone api (with django rest framework) and a single page application consuming that api. I've added PSA into my backend to add a sign in with linked in.

The strategy goes like this:

  1. The user taps on a 'sign in with linked in' button which leads to the PSA login url.
  2. PSA performs the social log in. The provider redirects to the backend in both authorise and token requests.
  3. At this point, I need the backend to redirect to a front-end url with the auth token of the user (as the provider does), so the single page application can use it in further requests.

The problem is that I don't see any step in which I can do the 3rd step in the PSA workflow.

Another solution could be to set the provider redirections to the front-end so it can proxy that requests to the server, using the front-end as a middleware. The problem with this one is that I didn't see where to set the provider redirection urls in the PSA configuration.

PSA is a very nice library, and could be awesome to have a description of the usage with a single page application in the documentation. I can help with this.

knaperek commented 7 years ago

Hi arol, I'd suggest you take a look at django-rest-framework-social-oauth2 which integrates this library together with django-oauth-toolkit into DRF.

In SPA you probably want to have your own authentication provider built in your backend which is able to generate tokens for your users (based on either good-old username/password credentials or) as an exchange for Linkedin token. Your frontend (JS) shall then be responsible for obtaining an access_token from Linkedin first, and then subsequently using the convert_token method to retrieve your App's token from your backend. Since your frontend will use the new token for all subsequent requests against your backend API, you'll also avoid hitting Linkedin API with every request.

omab commented 7 years ago

The only way I see this possible right is by doing:

  1. Define a custom complete view that mimics the code from the original (it's hard to reuse it at the moment), and returns the redirect with the needed token for the user
  2. Define a custom view that your app calls after a success login to retrieve the needed token.

I'm closing this, please reopen in social-app-django if still relevant.