BeWelcome
Linking to BeWelcome with oAuth
Heya!
Would you guys be interested in adding oAuth to BW? I'd like to have verified links to BW profiles from @trustroots profiles.
Right now I'm simply asking for BW username and forming a link from it:
Output:
Maybe in the future this could be developed towards something where changing hosting status at one site changes it at all the other hospex sites as well...
Upon the same topic at WS: https://github.com/warmshowers/Warmshowers.org/issues/716
The BoD spoke out positively about this idea in the meeting of September 2015, as long as it's not too much of a hassle to implement.
Just adding these here —
Symfony:
- https://github.com/authbucket/oauth2-symfony-bundle
- https://github.com/FriendsOfSymfony/FOSOAuthServerBundle
Barebone PHP:
- https://github.com/thephpleague/oauth2-server
- https://github.com/bshaffer/oauth2-server-php
- http://php.net/manual/en/class.oauthprovider.php
;-)
I noticed this will be discussed again on sunday. Some food for thought why BW should have oauth:
-
People can then build features on top of BW that BW doesn’t have. It’s an easy to way to demo or iterate new features without needing to build them into core.
-
It’s a good beginning point for an API, which then eventually would invite anyone to build native mobile apps for BeWelcome. Adding oauth would be an open invitation for volunteers to improve and extend it by building an API around it. Authentication is the first logical step for an API. By the way, TR will have a mobile app soon. That was possible only because we published an API and thus two volunteers stepped up and started working on the app. Warmshowers and CS of course already have mobile apps.
-
It's free advertising for BW on other platforms, which would be allowed to confirm BW profiles using oauth.
Some less technical material to help to understand what oauth is:
- https://blog.varonis.com/introduction-to-oauth/
- https://stormpath.com/blog/what-the-heck-is-oauth
- https://aaronparecki.com/2012/07/29/2/oauth2-simplified
- https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
- https://www.oauth.com/
Some quite technical materials to understand “authorization code” grant method, which is the most common and probably most suitable for BW, too:
- Client example in PHP for “authorization code” method.
- RFC Spec: see "1.3.1. Authorization Code”
- To dive into details of the flow, read section 4.1
Hi folks,
Just saw this issue, is it still relevant? I'm not sure BW already has any OAuth server. I would be happy to work on it. As @simison suggested, it would be a good beginning point to migrate to an API.
The PHP League is about to release a Symfony bundle for its OAuth server (end of august I guess), it could be a good implementation: https://github.com/thephpleague/oauth2-server-bundle
About API, I suggest API Platform. I'm a core-team member, and could help to implement it properly in BW.
The API approach would definitively improve this project:
- reduce technical debt by migrating some features to API, step by step, and finally remove the oldest code
- add a complete testing strategy: unit tests, integration tests, end-to-end tests, performance tests
- improve website performances, by using a JavaScript front app, and take part of the HTTP cache
- increase HTTP requests by using HTTP/2, then HTTP/3 (thanks to Vulcain)
- allow to build a mobile app
- introduce push notifications (thanks to Mercure)
- open the BW project to others (for example: TrustRoots)
What do you think @amnesiac84 @thisismeonmounteverest ? If you're interested, how can we plan a roadmap for it?
@vincentchalamon I'd be happy to see this done.
Regarding roadmap, we should focus on the needs of a possible app: Profiles, Search as a MVP. New features like the Trips feature should directly be implemented using the API platform.
BTW, if we're using Mercure, we could use a managed version for free as BeVolunteer is a non-profit organization: https://mercure.rocks/pricing