truqu / elm-oauth2 Goto Github PK
View Code? Open in Web Editor NEWOAuth 2.0 client-side utils in Elm
License: MIT License
OAuth 2.0 client-side utils in Elm
License: MIT License
I'm writing an app that uses elm-oauth to connect to YouTube. I want to persist the token in localStorage so if the user refreshes the page, they don't lose their token. At the moment I can access this token for storage using showToken
, but I can't convert a token string back into a token afterwards.
If I wrote a patch for this, would you accept it?
Would you be able to extract the claims from the id_token?
See specification here: https://auth0.com/docs/tokens/id-token
This might be of some help to decode, but doesn't seem to return claims at this stage. http://package.elm-lang.org/packages/ktonon/elm-jsonwebtoken/1.0.2/JsonWebToken
Hi truqu!
We have been using your elm-oauth2 with great success in our project at work. However when upgrading to Elm 0.19 and elm-oauth2 4.0 we ran into some trouble. I have traced the problem to the function OAuth.tokenFromString which creates a token when the case ("Bearer", t) holds. However, our Keycloak IDP is sending AuthenticationSuccess using the smallcap "bearer" instead of initcap "Bearer". This made the token creation fail.
According to spec (https://tools.ietf.org/html/rfc6749#section-4.2.2) token type should be case insensitive. My suggestion for a new tokenFromString function:
tokenFromString : String -> Maybe Token
tokenFromString str =
case ( String.toLower (String.left 6 str), String.dropLeft 7 str ) of
( "bearer", t ) ->
Just (Bearer t)
_ ->
Nothing
Keep up the good work!
Best regards
Vidar Evenrud Seeberg
Can you please update truqu/elm-base64
I'm using this package and want to use elm-jwt which also uses elm-base64 but in a newer version. So they clash and I can't install it to my elm-package.json
"truqu/elm-base64": "2.0.0 <= v < 3.0.0"
https://github.com/simonh1000/elm-jwt/blob/5.3.0/elm-package.json
The README (and hence doc on elm-packages) is a bit confusing since it says "FOR CONFIDENTIAL CLIENTS" for the code/PKCE grant whereas it is recommended for use by all clients, especially public ones (non-public clients are protected to some extent since they must authenticate to the token endpoint).
It's intended that in future versions, PKCE will be required for the authorization code grant and the implicit and resource owner grants will be dropped from the spec.
Hi, I have tried to use your google auth example from examples but I am getting:
`Error: Problem with the flags given to your Elm program on initialization.
Json.Decode.oneOf failed in the following 2 ways:
(1) Problem with the given value:
undefined
Expecting null
(2) Problem with the given value:
undefined
Expecting a LIST`
Elm version: 0.19.1
Build is failing with:
Dependency problem!
-- CORRUPT PACKAGE DATA --------------------------------------------------------
I downloaded the source code for ivadzy/bbase64 1.1.1 from:
https://github.com/ivadzy/bbase64/zipball/1.1.1/
But it looks like the hash of the archive has changed since publication:
Expected: 5ffd9a4d21ec0e3ac0eab3ed07e7c97832b04b98
Actual: fba597639f122a3e9eb5db876f73d191c2f0a6c7
This usually means that the package author moved the version tag, so report it
to them and see if that is the issue. Folks on Elm slack can probably help as
well.
Echoing #5 and #4, it would come in handy to be able to specify some custom parameters for the query of the authorize
function. This could be achieved via a:
authorizeWithOpts :: (QueryString -> QueryString) -> Authorize -> Command msg
There's also probably some work that can be done to leverage the parse
functions from the Implicit and AuthorizationCode modules.
According to
the token response data must (could?) contain an ID Token (id_token).
It seems to me that this is not actually supported in AuthenticationSuccess:
type alias AuthenticationSuccess =
{ token : Token
, refreshToken : Maybe Token
, expiresIn : Maybe Int
, scope : List String
}
Having spent the last few months fumbling around OpenID Connect / OAuth2 on a variety of native and mobile apps, I've discovered the IETF now strongly recommend authorization code flow with PKCE, over implicit flow. This is specified on their website: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02
I've only just started learning Elm so an unable to offer a PR in the short term, but am happy to help out, and possibly offer one over the coming months.
Hello, I'd like to know if it is actually recommended to run the OAuth Web Flow on the client side, like this package allows? Doesn't the Authorization Code Flow obligates the client secret to be on the client side, thus much more easily found out?
Probably it even has to be hard-coded into the app, since Env Vars cannot be used, right?
I was thinking about using this package, but I fail to see how this can be feasible from a security standpoint. I'd like some help in understanding this!
I tried two ways of doing a refresh flow in my application.
First one, using Task.andThen
and Task.onError
, I wanted to attempt a request, refresh if the request failed with 401 and retry the request afterwards with the new token, and this would ideally only require one update cycle because the task would do all these things in one go behind the scenes, but I couldn't because makeTokenRequest
required a message, and didn't return a Task
or something that I could turn into a Task
, so I couldn't make a reusable request wrapper.
The second way was to receive the expiresIn
, schedule a new refresh in that time, and calculate expiresAt
using expiresIn
and Time.now
and store this info in Local Storage so I know if I have to refresh when opening the app. Ideally I would use Task.map2
to combine the result of the refresh request with the result of Time.now
, and then store it, however, makeTokenRequest
is not a Task
so I cannot do this, so I have to handle the result of Time.now
into a separate update cycle, which makes this less reusable as well.
In both cases, I felt that requiring toMsg
and not returning a Task made this impossible to compose, which would be very useful. Maybe there is a way I don't know of yet, so I am open to ideas, but I would like to know your opinion about this request.
When using version 7.0.0, everything works as expected, except the value of state
is always Nothing
.
The query-string contains a param named state
.
All the other strings are parsed.
Debug.log of the success-object:
success: { expiresIn = Just 3600, refreshToken = Nothing, scope = [""], state = Nothing, token = Bearer "eyJ0eX..." }
What am I missing? I looked at the implementation and that looks fine to me.
Thanks for any pointers.
In makeTokenRequsetWith credentials.secret is never copied to the body, which I assume should happend.
I get the oauth failure using elm-oauth2 authorizationCode example on strava.com oauth flow.
Debugging using browser development tools shows client_secret is missing, despite specified in Elm code.
/elm install truqu/elm-oauth2 ✘ 1
Here is my plan:
Add:
truqu/elm-base64 2.0.4
truqu/elm-oauth2 4.0.0
Would you like me to update your elm.json accordingly? [Y/n]: y
Starting downloads...
✗ truqu/elm-oauth2 4.0.0
-- HTTP PROBLEM ----------------------------------------------------------------
The following HTTP request failed:
<https://github.com/truqu/elm-oauth2/zipball/4.0.0/>
Here is the error message I was able to extract:
HttpExceptionRequest Request { host = "codeload.github.com" port = 443
secure = True requestHeaders =
[("Cookie","logged_in=no"),("User-Agent","elm/0.19.0"),("Accept-Encoding","gzip")]
path = "/truqu/elm-oauth2/legacy.zip/4.0.0" queryString = "" method = "GET"
proxy = Nothing rawBody = False redirectCount = 10 responseTimeout =
ResponseTimeoutDefault requestVersion = HTTP/1.1 } (StatusCodeException
(Response {responseStatus = Status {statusCode = 404, statusMessage = "Not
Found"}, responseVersion = HTTP/1.1, responseHeaders =
[("Content-Length","15"),("Access-Control-Allow-Origin","https://render.githubusercontent.com"),("Content-Security-Policy","default-src
'none'; style-src 'unsafe-inline';
sandbox"),("Strict-Transport-Security","max-age=31536000"),("Vary","Authorization,Accept-Encoding"),("X-Content-Type-Options","nosniff"),("X-Frame-Options","deny"),("X-XSS-Protection","1;
mode=block"),("Date","Sat, 08 Sep 2018 11:59:25
GMT"),("X-GitHub-Request-Id","E6CC:3685:3A5F44:794A6E:5B93B99D")],
responseBody = (), responseCookieJar = CJ {expose = [Cookie {cookie_name =
"logged_in", cookie_value = "no", cookie_expiry_time = 3018-01-09 00:00:00
UTC, cookie_domain = "github.com", cookie_path = "/", cookie_creation_time =
2018-09-08 11:59:25.167575202 UTC, cookie_last_access_time = 2018-09-08
11:59:25.167716784 UTC, cookie_persistent = False, cookie_host_only = False,
cookie_secure_only = True, cookie_http_only = True},Cookie {cookie_name =
"_gh_sess", cookie_value =
"dTNRUFJ3Zi9jemtzRHo4d0FtRm8raGRpU1J1SjZHbklxM3dXQWhOazkxN2xXVXBJK2U1UDF3cXZPSkFNazlBZWprNE8xNjRmZlpkSVJ1c0RsOGhpYmJ1L2JvZXU1TzI5SGQ1bGw2cmE5c0xkRDlPT25FS0JoTEVMRGQ5b1E0K1VKUjJjSmt0Y2ZLd29CcHhPZEIrWjhQRHYvaC8zTVE4YXlUdUQ0UE81VjlNTmgxdXhCcDVkSlBVZzVUclJGQmxlRHFHcHVJdkwyVTkzcnoyL0VnRVlkZz09LS1EQ0xRTUY3VXBjMnM5WWo4TloydG1nPT0%3D--098a9e1b85bab3cd35eb8d83c49f29cf896c9f38",
cookie_expiry_time = 3018-01-09 00:00:00 UTC, cookie_domain = "github.com",
cookie_path = "/", cookie_creation_time = 2018-09-08 11:59:25.167575202 UTC,
cookie_last_access_time = 2018-09-08 11:59:25.167575202 UTC,
cookie_persistent = False, cookie_host_only = True, cookie_secure_only =
True, cookie_http_only = True},Cookie {cookie_name = "has_recent_activity",
cookie_value = "1", cookie_expiry_time = 3018-01-09 00:00:00 UTC,
cookie_domain = "github.com", cookie_path = "/", cookie_creation_time =
2018-09-08 11:59:25.167575202 UTC, cookie_last_access_time = 2018-09-08
11:59:25.167575202 UTC, cookie_persistent = False, cookie_host_only = True,
cookie_secure_only = False, cookie_http_only = False}]}, responseClose' =
ResponseClose}) "404: Not Found\n")
Look like a missing tag for 4.0.0 ?
Hi. Getting to grips with this code, with the aim of connecting my Elm app to Strava (popular with runners and cyclists, you may know). I am using OAuth.AuthorizationCode and getting as far as requesting a token. I am supplying my client secret in getAccessToken
getAccessToken : Configuration -> Url -> OAuth.AuthorizationCode -> Cmd OAuthMsg
getAccessToken { clientId, tokenEndpoint } redirectUri code =
Http.request <|
OAuth.makeTokenRequest GotAccessToken
{ credentials =
{ clientId = clientId
, secret = Just StravaClientSecret.clientSecret
}
, code = code
, url = tokenEndpoint
, redirectUri = redirectUri
}
but Strava's response is
{
"message": "Bad Request",
"errors": [
{
"resource": "Application",
"field": "client_secret",
"code": "invalid"
}
]
}
Looking at your code, it seems to append the secret to the id :.
What am I missing? Could I just append another field to the url?
Pete Ward
Hi. This is a question, not a real issue.
I was this morning about to add Komoot authentication to my software, which already has Strava authentication.
It occurs to me that users will often require both (e.g. a route from Komoot and a segment from Strava).
I presume this will require saving any current token locally during the redirects.
My question is about whether this is:
a) not a problem, it just works
b) fine, but I have to use local storage and make sure any tokens loaded from local storage are still valid
c) known to be impossible, don't bother trying.
Your experience and advice would be very welcome before I bang my head against another wall.
Peter
The url instagram returns does not have a token_type with bearer value it doesnot return this params, the url is this:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.