stormpath
Document social login, access token vs. authorization code
We need to update our documentation of social login, with the following changes:
- We now support access token and authorization code callbacks from the social provider, so we should update the documentation to describe how each can by done, and a little information on why you might choose one over the other.
- We need to describe the new scope options that are available, e.g.
stormpath.web.social.google.scope
I'll just tag along on this issue for social login documentation:
https://docs.stormpath.com/nodejs/express/latest/social_login.html#google-login states that you need to turn on the G+ API; as per testing @robertjd, @bretterer and I did about a month ago, it's no longer needed and we can remove that step from setup.
Note: make sure to document the need to use "postmessage" as the callback url on the directory provider configuration when using the access token flow for google.
Is there a reason you want to use postmessage, instead of the actual callback URI? It's been causing problems in Android.
@edjiang the "postmessage" value is used when the client is a JS app in a browser, so it's a particular use case (not a global one). Does that address the concern?
Does the Express SDK use the auth code or javascript (implicit) OAuth flows?
Basically our implementation of Stormpath right now means that the implicit grant type and Android SDK are incompatible. Period.
The Express SDK supports both, and uses auth code in it's default login page for all providers except facebook.
Let me forward you an email I wrote to the customer success team about this issue.
Oh ok, I need to read the earlier thing better. I guess this is just documenting the implicit flow, but the default is still authorization code. I guess that's fine.