search

umbraco / Umbraco.AuthorizedServices

Umbraco Authorized Services is an open-source package designed to reduce the effort needed to integrate third party services that require authentication and authorization via an OAuth flow.
MIT License
14 stars 7 forks source link

Feature/test providers #4

Closed acoumb closed 1 year ago

acoumb commented 1 year ago

Current PR only contains some minor changes noticed while testing additional providers like LinkedIn, Twitter and Facebook.

  1. rearrangement of the authorization URL query string parameters. With OAuth providers, the response_type comes in first, followed by client_id, so to go on that "convention", I thought of updating this way.
  2. encode the | character after testing with Twitter revealed that their API return a 400 - Bad Request when asking for the authorization code. Other integrations were not affected with this change.

I tried setting up an authorization workflow with Facebook, without any luck. The issue that blocked me was setting up the authorization URL to authenticate against the Facebook APP I had created. Also, while building the URL, I noticed they require a smaller number of parameters, only client_id, redirect_uri and state, which will mean to modify the current structure to support this.

Either way, the authorization flow crashed with just a simple "Error" message. I have used this docs for reference, and I think Facebook handles the authorization through their platform slightly different, using their SDK or a Login Dialog for this.

acoumb commented 1 year ago

Updates look fine. Regarding Facebook, having had a read it seems like it should work as it's basically supporting the same flow, so it might be worth persevering a bit.

I'd suggest to do so replace and implement your own components that need updates in the test project (i.e. at least provide a custom IAuthorizationUrlBuilder) and see if you can get it to work.

If you can, we can then examine what you had to do in your custom implementation, and see how we can best make that available as configuration to customize the default implementation of this interface (i.e. AuthorizationUrlBuilder).

If it's important we only provide certain parameters and not others for example, we can perhaps introduce flags like IncludeScopesInAuthorizationUrl.

There is no need to handle this differently for Facebook, as my initial tests where using an incorrect Facebook App type that didn't allow me to add the Facebook Login product feature to it.

With the Consumer app type, the authorization flow works flawlessly with the configuration from appsettings.json.