search

stormpath / stormpath-framework-spec

Language-agnostic API specification for Stormpath Framework Integrations
12 stars 14 forks source link

Cookies pose a problem for social login on mobile #54

Open edjiang opened 8 years ago

edjiang commented 8 years ago

To get a social login access_token, I need to post to /login and then read the responding cookie.

The cookie name is not guaranteed to be access_token, as it's a configurable value. This poses a problem on mobile, since we would have to add the cookie name as a configurable parameter.

While we can do it, I think it's not a great idea and can pose lots of problems in the future.

Would we be amenable to adding another way of exchanging the social login access token / authorization codes to the framework spec?

robertjd commented 8 years ago

Hmm, yes this is an issue. We already have an /oauth/token endpoint that is attached to the framework integration, I'd like to explore a way to extend that to accept social token results and exchange them for stormpath oauth tokens.

edjiang commented 8 years ago

I'll implement using non-configurable cookies for now, but let's chat about this on Thursday?