Giters

weavejester / ring-oauth2

OAuth 2.0 client middleware for Ring

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

redirect-uri and provider differences

earthtrip opened this issue · comments

commented

Hi -

I'm trying to setup ring-oauth2. I've got oauth2 mostly working in my proof of concept web app (luminus based web app) with google, GitHub and facebook. I've used OAuth2 in other languages so I understand it for the most part but I'm new to Clojure so it may be general misunderstanding. Anyway - I have two questions

  1. What does the redirect-uri do? I have it setup in my code but it never seems to be called and instead the flow takes me directly to the landing-uri. But if I take my redirect-uri handler out of the code it doesn't work. In other languages/frameworks I usually used the redirect-uri to handle post processing of the response like updating the application database by inserting or updating the users table with the token for example but in ring-oauth2 I can't get it to call those functions

  2. It appears that each provider returns different data sets and that this library doesn't seem to handle the POST back to get the actual data I'm trying to access (email read only in my scenario). Note I've put random gibberish into these tokens so they don't actually work in say jwt.io.

e.g. GitHub only returns this data structure
{:github {:token dask348498dslu34ualkdjfkjasdfkajdsf}}

whereas Google returns

:google {:token ya29.3849kasjdflkjalk;sdfjlakjsdfkjdakfdj389jk3jksj-7zpiJ6cU8BgL0wYv6-0AgA5d-S-U8_QN59mDohtGMbQ, :expires #object[org.joda.time.DateTime 0x5f37ef66 2018-04-14T12:55:46.987Z], :id-token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNiNTQ3ODg2ZmY4NWEzNDI4ZGY0ZjYxZGI3M2MxYzIzOTgyYTkyOGUifQ.eyJhenAiOiIzMTQ0MTE3u4k3u4Dcta2JvZTdlZ2F0cjdnM3VzMzhzdDY3NXU1ZmVrZ3FsOGcuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iaGFlbCBFbmdlbGhhcnQiLCJwaWN0dXJlIjoiaHR0cHM6Ly9saDUuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy05dXl3UW5hZzBRcy9BQUFBQUFBQUFBSS9BQUFBQUFBQUJiZyBLAHBLAHBLAHkZlcy9zOTYtYy9waG90by5qcGciLCJnaXZlbl9uYW1lIjoiTWljaGFlbCIsImZhbWlseV9uYW1lIjoiRW5nZWxoYXJ0IiwibG9jYWxlIjoiZW4ifQ.i-_I6yVfqrvp1EO5SjY4f3tu191yyXrbSGUrdt5idExAGA2CPxLqT9ceaOvCI3FaRuV4-CCIuxKR3xNx72qs90EYOKHhPQIb_dnzY4_aDmnQzgNO2c-yegkXBLAHBLAHBLAHGfPvQKtE2DDgpjy9-w99p9KvDfseURsbyILxeaXRDgOzR2qRHhQLnhd4H3wW8Ku_v8kTvupd5FYQe79HFJwhb2tPn2H4PRc0Alb2zsp7fEiIA1iua9LT06HOEzV9_UkAscEb-mCDpmHcmvwY-I7McnF5fiLAEVkK9MaebuKWyGuHnKV1AHzwWM-YfgorQR99L13p7fRaAQ}}}

and facebook returns
:facebook {:token BLAHBLAHBLAHSVR6LYXZAfMSJIiXzg5T4CyaeKj5KbD242pDBPZBVeahGZBu2NyfSQNetTIClCq55TgTfyCZAvwvhNkXBqlgC5ttwICZAr7ZAwBLAHBLAHBLAHnxchJZBzfM3kDgAZDZD, :expires #object[org.joda.time.DateTime 0x2a5ba73b 2018-06-12T15:35:24.426Z]}}

Thanks for any insight. It's possible I'm expecting this to behave like something it's not designed for but before I move on I'd like to learn more if I simply configured it incorrectly or if it's simply a lower level abstraction.

Thanks!
Mike

commented

What does the redirect-uri do?

It's the URI that the authorization server uses to send the user back to the your app. In the OAuth 2.0 specification it's called the "redirection endpoint URI".

The URI is handled by the middleware itself, receiving the token and adding it to the session. When it's done, it redirects the user again to the landing URI.

It appears that each provider returns different data sets and that this library doesn't seem to handle the POST back to get the actual data I'm trying to access (email read only in my scenario).

No, but it should be straightforward. You need to add the token to a header on your POST request, like:

Authorization: Bearer <token>

How that's done depends on which HTTP client library you're using.

commented

Thanks for the quick response. So is there no way to do processing inside the redirect-uri handler? It appears to just get auto-handled by ring-oauth2? I'm just trying to figure out where in my code I would do the POST back with the Bearer token. It seems a bit odd to me to do that in the landing-uri but that may just be because I think of a "landing" page to be where you want to redirect the user after all the oauth processing work is done vs having different landing-uri's for each provider that do POST's back to the provider and then render something to the browser.

e.g. this code never gets to the debug println statement

;; github oauth2
(defn oauth-github-launch [])

(defn oauth-github-callback [request]
  (println "got here")
  )


(defroutes github-oauth2-routes
  (GET "/auth/github" []
       (oauth-github-launch))
  (GET "/auth/github/callback" request
       (oauth-github-callback request)))

I have this in my middleware

(mount/defstate app
  :start
  (middleware/wrap-base
   (routes
    (-> #'home-routes
        (wrap-routes middleware/wrap-csrf)
        (wrap-routes middleware/wrap-formats))
    (-> #'github-oauth2-routes
        (wrap-routes middleware/wrap-csrf)
        (wrap-routes middleware/wrap-formats)
        (wrap-routes middleware/wrap-github-oauth2))
commented

I'm just trying to figure out where in my code I would do the POST back with the Bearer token.

Put it in the handler for the landing URI.

There is an issue #10 which suggests adding a success handler that would be executed by the redirect URI, but aside from skipping a redirect the result would be the same as putting the logic in the landing URI instead.

commented

OK cool. Many thanks!!