truqu / elm-oauth2 Goto Github PK

I'm writing an app that uses elm-oauth to connect to YouTube. I want to persist the token in localStorage so if the user refreshes the page, they don't lose their token. At the moment I can access this token for storage using showToken, but I can't convert a token string back into a token afterwards.

If I wrote a patch for this, would you accept it?

Would you be able to extract the claims from the id_token?
See specification here: https://auth0.com/docs/tokens/id-token

This might be of some help to decode, but doesn't seem to return claims at this stage. http://package.elm-lang.org/packages/ktonon/elm-jsonwebtoken/1.0.2/JsonWebToken

Hi truqu!
We have been using your elm-oauth2 with great success in our project at work. However when upgrading to Elm 0.19 and elm-oauth2 4.0 we ran into some trouble. I have traced the problem to the function OAuth.tokenFromString which creates a token when the case ("Bearer", t) holds. However, our Keycloak IDP is sending AuthenticationSuccess using the smallcap "bearer" instead of initcap "Bearer". This made the token creation fail.
According to spec (https://tools.ietf.org/html/rfc6749#section-4.2.2) token type should be case insensitive. My suggestion for a new tokenFromString function:

tokenFromString : String -> Maybe Token
tokenFromString str =
    case ( String.toLower (String.left 6 str), String.dropLeft 7 str ) of
        ( "bearer", t ) ->
            Just (Bearer t)
        _ ->
            Nothing

Keep up the good work!
Best regards
Vidar Evenrud Seeberg

Can you please update truqu/elm-base64

I'm using this package and want to use elm-jwt which also uses elm-base64 but in a newer version. So they clash and I can't install it to my elm-package.json

"truqu/elm-base64": "2.0.0 <= v < 3.0.0"

https://github.com/simonh1000/elm-jwt/blob/5.3.0/elm-package.json

The README (and hence doc on elm-packages) is a bit confusing since it says "FOR CONFIDENTIAL CLIENTS" for the code/PKCE grant whereas it is recommended for use by all clients, especially public ones (non-public clients are protected to some extent since they must authenticate to the token endpoint).

It's intended that in future versions, PKCE will be required for the authorization code grant and the implicit and resource owner grants will be dropped from the spec.

Hi, I have tried to use your google auth example from examples but I am getting:

`Error: Problem with the flags given to your Elm program on initialization.

Json.Decode.oneOf failed in the following 2 ways:

(1) Problem with the given value:

undefined

Expecting null

(2) Problem with the given value:

undefined

Expecting a LIST`

Elm version: 0.19.1

Build is failing with:
Dependency problem!
-- CORRUPT PACKAGE DATA --------------------------------------------------------

I downloaded the source code for ivadzy/bbase64 1.1.1 from:

https://github.com/ivadzy/bbase64/zipball/1.1.1/

But it looks like the hash of the archive has changed since publication:

Expected: 5ffd9a4d21ec0e3ac0eab3ed07e7c97832b04b98
Actual: fba597639f122a3e9eb5db876f73d191c2f0a6c7

This usually means that the package author moved the version tag, so report it
to them and see if that is the issue. Folks on Elm slack can probably help as
well.

Echoing #5 and #4, it would come in handy to be able to specify some custom parameters for the query of the authorize function. This could be achieved via a:

authorizeWithOpts :: (QueryString -> QueryString) -> Authorize -> Command msg

There's also probably some work that can be done to leverage the parse functions from the Implicit and AuthorizationCode modules.

According to

https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce

the token response data must (could?) contain an ID Token (id_token).

It seems to me that this is not actually supported in AuthenticationSuccess:

type alias AuthenticationSuccess =
    { token : Token
    , refreshToken : Maybe Token
    , expiresIn : Maybe Int
    , scope : List String
    }

Having spent the last few months fumbling around OpenID Connect / OAuth2 on a variety of native and mobile apps, I've discovered the IETF now strongly recommend authorization code flow with PKCE, over implicit flow. This is specified on their website: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02

I've only just started learning Elm so an unable to offer a PR in the short term, but am happy to help out, and possibly offer one over the coming months.

Hello, I'd like to know if it is actually recommended to run the OAuth Web Flow on the client side, like this package allows? Doesn't the Authorization Code Flow obligates the client secret to be on the client side, thus much more easily found out?

Probably it even has to be hard-coded into the app, since Env Vars cannot be used, right?

I was thinking about using this package, but I fail to see how this can be feasible from a security standpoint. I'd like some help in understanding this!

I tried two ways of doing a refresh flow in my application.

First one, using Task.andThen and Task.onError, I wanted to attempt a request, refresh if the request failed with 401 and retry the request afterwards with the new token, and this would ideally only require one update cycle because the task would do all these things in one go behind the scenes, but I couldn't because makeTokenRequest required a message, and didn't return a Task or something that I could turn into a Task, so I couldn't make a reusable request wrapper.

The second way was to receive the expiresIn, schedule a new refresh in that time, and calculate expiresAt using expiresIn and Time.now and store this info in Local Storage so I know if I have to refresh when opening the app. Ideally I would use Task.map2 to combine the result of the refresh request with the result of Time.now, and then store it, however, makeTokenRequest is not a Task so I cannot do this, so I have to handle the result of Time.now into a separate update cycle, which makes this less reusable as well.

In both cases, I felt that requiring toMsg and not returning a Task made this impossible to compose, which would be very useful. Maybe there is a way I don't know of yet, so I am open to ideas, but I would like to know your opinion about this request.

When using version 7.0.0, everything works as expected, except the value of state is always Nothing.
The query-string contains a param named state.
All the other strings are parsed.

Debug.log of the success-object:

success: { expiresIn = Just 3600, refreshToken = Nothing, scope = [""], state = Nothing, token = Bearer "eyJ0eX..." }

What am I missing? I looked at the implementation and that looks fine to me.
Thanks for any pointers.

In makeTokenRequsetWith credentials.secret is never copied to the body, which I assume should happend.

I get the oauth failure using elm-oauth2 authorizationCode example on strava.com oauth flow.
Debugging using browser development tools shows client_secret is missing, despite specified in Elm code.

/elm install truqu/elm-oauth2                                                                                                         ✘ 1
Here is my plan:

  Add:
    truqu/elm-base64    2.0.4
    truqu/elm-oauth2    4.0.0

Would you like me to update your elm.json accordingly? [Y/n]: y
Starting downloads...

  ✗ truqu/elm-oauth2 4.0.0

-- HTTP PROBLEM ----------------------------------------------------------------

The following HTTP request failed:

    <https://github.com/truqu/elm-oauth2/zipball/4.0.0/>

Here is the error message I was able to extract:

    HttpExceptionRequest Request { host = "codeload.github.com" port = 443
    secure = True requestHeaders =
    [("Cookie","logged_in=no"),("User-Agent","elm/0.19.0"),("Accept-Encoding","gzip")]
    path = "/truqu/elm-oauth2/legacy.zip/4.0.0" queryString = "" method = "GET"
    proxy = Nothing rawBody = False redirectCount = 10 responseTimeout =
    ResponseTimeoutDefault requestVersion = HTTP/1.1 } (StatusCodeException
    (Response {responseStatus = Status {statusCode = 404, statusMessage = "Not
    Found"}, responseVersion = HTTP/1.1, responseHeaders =
    [("Content-Length","15"),("Access-Control-Allow-Origin","https://render.githubusercontent.com"),("Content-Security-Policy","default-src
    'none'; style-src 'unsafe-inline';
    sandbox"),("Strict-Transport-Security","max-age=31536000"),("Vary","Authorization,Accept-Encoding"),("X-Content-Type-Options","nosniff"),("X-Frame-Options","deny"),("X-XSS-Protection","1;
    mode=block"),("Date","Sat, 08 Sep 2018 11:59:25
    GMT"),("X-GitHub-Request-Id","E6CC:3685:3A5F44:794A6E:5B93B99D")],
    responseBody = (), responseCookieJar = CJ {expose = [Cookie {cookie_name =
    "logged_in", cookie_value = "no", cookie_expiry_time = 3018-01-09 00:00:00
    UTC, cookie_domain = "github.com", cookie_path = "/", cookie_creation_time =
    2018-09-08 11:59:25.167575202 UTC, cookie_last_access_time = 2018-09-08
    11:59:25.167716784 UTC, cookie_persistent = False, cookie_host_only = False,
    cookie_secure_only = True, cookie_http_only = True},Cookie {cookie_name =
    "_gh_sess", cookie_value =
    "dTNRUFJ3Zi9jemtzRHo4d0FtRm8raGRpU1J1SjZHbklxM3dXQWhOazkxN2xXVXBJK2U1UDF3cXZPSkFNazlBZWprNE8xNjRmZlpkSVJ1c0RsOGhpYmJ1L2JvZXU1TzI5SGQ1bGw2cmE5c0xkRDlPT25FS0JoTEVMRGQ5b1E0K1VKUjJjSmt0Y2ZLd29CcHhPZEIrWjhQRHYvaC8zTVE4YXlUdUQ0UE81VjlNTmgxdXhCcDVkSlBVZzVUclJGQmxlRHFHcHVJdkwyVTkzcnoyL0VnRVlkZz09LS1EQ0xRTUY3VXBjMnM5WWo4TloydG1nPT0%3D--098a9e1b85bab3cd35eb8d83c49f29cf896c9f38",
    cookie_expiry_time = 3018-01-09 00:00:00 UTC, cookie_domain = "github.com",
    cookie_path = "/", cookie_creation_time = 2018-09-08 11:59:25.167575202 UTC,
    cookie_last_access_time = 2018-09-08 11:59:25.167575202 UTC,
    cookie_persistent = False, cookie_host_only = True, cookie_secure_only =
    True, cookie_http_only = True},Cookie {cookie_name = "has_recent_activity",
    cookie_value = "1", cookie_expiry_time = 3018-01-09 00:00:00 UTC,
    cookie_domain = "github.com", cookie_path = "/", cookie_creation_time =
    2018-09-08 11:59:25.167575202 UTC, cookie_last_access_time = 2018-09-08
    11:59:25.167575202 UTC, cookie_persistent = False, cookie_host_only = True,
    cookie_secure_only = False, cookie_http_only = False}]}, responseClose' =
    ResponseClose}) "404: Not Found\n")

Look like a missing tag for 4.0.0 ?

Hi. Getting to grips with this code, with the aim of connecting my Elm app to Strava (popular with runners and cyclists, you may know). I am using OAuth.AuthorizationCode and getting as far as requesting a token. I am supplying my client secret in getAccessToken

getAccessToken : Configuration -> Url -> OAuth.AuthorizationCode -> Cmd OAuthMsg
getAccessToken { clientId, tokenEndpoint } redirectUri code =
    Http.request <|
        OAuth.makeTokenRequest GotAccessToken
            { credentials =
                { clientId = clientId
                , secret = Just StravaClientSecret.clientSecret
                }
            , code = code
            , url = tokenEndpoint
            , redirectUri = redirectUri
            }

but Strava's response is

{
    "message": "Bad Request",
    "errors": [
        {
            "resource": "Application",
            "field": "client_secret",
            "code": "invalid"
        }
    ]
}

Looking at your code, it seems to append the secret to the id :.
What am I missing? Could I just append another field to the url?

Pete Ward

Hi. This is a question, not a real issue.

I was this morning about to add Komoot authentication to my software, which already has Strava authentication.
It occurs to me that users will often require both (e.g. a route from Komoot and a segment from Strava).
I presume this will require saving any current token locally during the redirects.

My question is about whether this is:
a) not a problem, it just works
b) fine, but I have to use local storage and make sure any tokens loaded from local storage are still valid
c) known to be impossible, don't bother trying.

Your experience and advice would be very welcome before I bang my head against another wall.

Peter

The url instagram returns does not have a token_type with bearer value it doesnot return this params, the url is this:

http://your-redirect-uri#access_token=ACCESS-TOKEN