Closed deiucanta closed 9 years ago
So am I understanding this correctly:
And you want to secure the API communication at point 2?
Let's say my app is Xmail, it will provide a single place to read all your messages from different accounts.
For a user to register into Xmail, I don't want to create another set of credentials for the sake of user experience. If he writes his Gmail address I will login with Gmail, but the app will not consume Gmail API directly. Xmail will only interact with Xmail API and our servers will interact with Gmail API.
Also, there are providers which don't support OAuth. For those, I will do a validation on the IMAP protocol and authorise them only if that successful.
So we have two cases
If the login is successful, we will use Xmail token to access the API. After you register (login for the first time) you will be able link other email accounts to your Xmail account.
I think this requires and extra step from the normal OAuth flow.
Okay so if it's your own app with your users then you should use the following grants:
Just a quick specification: my users will not have a Xmail username/password.
Does your answer include this fact? I'm not sure how to use those grants without a password. On Nov 10, 2014 6:09 PM, "Alex Bilbie" notifications@github.com wrote:
Okay so if it's your own app with your users then you should use the following grants:
- For communicating with the API with the gmail access token or the IMAP details: client_credentials
- For communicating with the API once you have an Xmail user signed into the app: [resource owner] password grant
— Reply to this email directly or view it on GitHub https://github.com/thephpleague/oauth2-server/issues/247#issuecomment-62407161 .
Sorry for not replying to this. Have you solved this issue? What was your solution?
Sorry for the delay :)
We created a custom grant which has two steps - similar to auth_code
Hope it makes sense.
Hello guys,
I have the following auth flow in a mobile application.
Users can login with any of their email accounts (that are connected to our app). If the email account is not linked yet, we will create a new app account for it.
The client is our app and for the moment the API is not intended for client use. We wanted to have a strong OAuth implementation right from the beginning - not reinventing the wheel.
I don't know where to start with this. Which grant(s) shall we use to enable this uncommon authentication flow?