search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.51k stars 1.12k forks source link

Which grant do I need for this flow #247

Closed deiucanta closed 9 years ago

deiucanta commented 9 years ago

Hello guys,

I have the following auth flow in a mobile application.

screenshot at nov 10 17-14-10

Users can login with any of their email accounts (that are connected to our app). If the email account is not linked yet, we will create a new app account for it.

  1. The email address is sent to the server in order to detect the provider type
  2. If the provider supports OAuth (GMail), I will redirect the user to GMail's OAuth login page
    • after the authorisation, it will be redirected to our server where we store the token
    • after storing GMail's token into the db, we generate our own token that is sent to the app
  3. If the provider doesn't support OAuth, I will request additional data (password, server hostnames and ports)
    • if the IMAP authentication is successful, we generate our own token and send it to the app
    • if not, we will send an error to the client

The client is our app and for the moment the API is not intended for client use. We wanted to have a strong OAuth implementation right from the beginning - not reinventing the wheel.

I don't know where to start with this. Which grant(s) shall we use to enable this uncommon authentication flow?

alexbilbie commented 9 years ago

So am I understanding this correctly:

  1. User signs into an email provider
  2. Email is then sent to the client app via an API

And you want to secure the API communication at point 2?

deiucanta commented 9 years ago

Let's say my app is Xmail, it will provide a single place to read all your messages from different accounts.

For a user to register into Xmail, I don't want to create another set of credentials for the sake of user experience. If he writes his Gmail address I will login with Gmail, but the app will not consume Gmail API directly. Xmail will only interact with Xmail API and our servers will interact with Gmail API.

Also, there are providers which don't support OAuth. For those, I will do a validation on the IMAP protocol and authorise them only if that successful.

So we have two cases

If the login is successful, we will use Xmail token to access the API. After you register (login for the first time) you will be able link other email accounts to your Xmail account.

I think this requires and extra step from the normal OAuth flow.

alexbilbie commented 9 years ago

Okay so if it's your own app with your users then you should use the following grants:

deiucanta commented 9 years ago

Just a quick specification: my users will not have a Xmail username/password.

Does your answer include this fact? I'm not sure how to use those grants without a password. On Nov 10, 2014 6:09 PM, "Alex Bilbie" notifications@github.com wrote:

Okay so if it's your own app with your users then you should use the following grants:

  • For communicating with the API with the gmail access token or the IMAP details: client_credentials
  • For communicating with the API once you have an Xmail user signed into the app: [resource owner] password grant

— Reply to this email directly or view it on GitHub https://github.com/thephpleague/oauth2-server/issues/247#issuecomment-62407161 .

alexbilbie commented 9 years ago

Sorry for not replying to this. Have you solved this issue? What was your solution?

deiucanta commented 9 years ago

Sorry for the delay :)

We created a custom grant which has two steps - similar to auth_code

  1. detect - you send the email address and it detects what provider it is using
  2. complete flow - you send the email address, provider type and provider details (for gmail - this will be a token, for imap - this will be a password)

Hope it makes sense.