Closed KES777 closed 3 years ago
leejo
commented
3 years ago This is an Authorization Server implementation so by definition is used by the first party - you use it to implement an authorization server in your app (first party) and then you can allow your own (first party) and other (third party) applications to go through the various OAuth flows to get access tokens.
KES777
commented
3 years ago So, I think, I miss some recommendations about how to skip 'consent' step from user because of first-party app
leejo
commented
3 years ago I think you need to research more how OAuth2 flows work. https://metacpan.org/pod/Net::OAuth2::AuthorizationServer::Manual Should get you started.
KES777
commented
3 years ago I read that, but still all looks complex. I do not understand =(
I try to reread again and if success - then summarize experience. But not sure I will get deeper (
Thank you.
KES777
commented
3 years ago https://stackoverflow.com/a/46027673/4632019
The main reason about this is because oAuth2 is not for authentication, only for third-party authorization, and that grant type was added only for specific third-party applications trusted enought to use directly the user password. You could read more about this argument here and here.
(for future references)
https://tools.ietf.org/id/draft-ietf-oauth-browser-based-apps-07.html#name-first-party-applications
first-party applications using OAuth or OpenID Connect MUST use a redirect-based flow (such as the OAuth Authorization Code flow) as described later in this document.
leejo
commented
3 years ago I read that, but still all looks complex. I do not understand =(
Yes, it's complex. Well, there are many parts and many parts to those parts. My complete understanding of the protocol didn't really start until I read through the RFCs and wrote this module, and I still have to go back to the RFCs and test cases when I get bug reports/issues as I can't keep all of this in my head. Also what I wrote just worked, there has been little change to spec/module since then, so I don't go back to it often enough to keep it in my head.
The hope is that the next version of the spec will simplify the flows somewhat and remove some of the edge cases and unnecessary complexity.
I gave a talk on the module a while back, perhaps that will help: https://www.youtube.com/watch?v=kkd9hYC3xok # note the description that "Strong coffee is advised as a prerequisite to attending this talk." 😄
Hi. I have an application
I read this: https://auth0.com/docs/flows/authorization-code-flow https://auth0.com/docs/applications/first-party-and-third-party-applications https://auth0.com/docs/scopes/api-scopes https://auth0.com/docs/scopes/sample-use-cases-scopes-and-claims#keep-reading https://auth0.com/docs/tokens/id-tokens
But I do not understand how to use authorization server module with first-party apps? is this documented somewhere? Probably you have blogposts