edge icon indicating copy to clipboard operation
edge copied to clipboard

Published 20 hours ago verified publisher icon superfly

Google authentication

Open jeromegn opened this issue 5 years ago • 3 comments

Protect some routes via a 3rd party auth system (in this case: Google.)

We had that with the old platform (sites), pretty sure it would still be useful.

jeromegn avatar Jan 21 '19 21:01 jeromegn

I once made a POC of this sort of thing with Node.js. I'd be willing to share that code if interested.

nprail avatar Jan 22 '19 02:01 nprail

@nprail sure, anything would help. There's probably a lot that won't work since we can't use the Crypto API from node.js (I'm assuming we'll have to sign some JWTs for Google).

But we already have the sjcl package which can probably do a lot of what we need. Until we have a more complete Crypto API (from the Web API.)

jeromegn avatar Jan 23 '19 16:01 jeromegn

@jeromegn Here is the code: https://github.com/nprail/static-auth-poc

It was a POC for improving auth on Surge.sh so some things would have to be modified. For example, it doesn't do Google login. It just has a static username and password in it. I think the login server piece of the POC can be completely replaced by an OAuth provider.

This is the basic flow:

  1. The user goes to a password protected site (e.g. protected.example.com)
  2. The user is redirected to the Login Server and logs in (which redirects to Google or any other provider for login)
  3. The user is redirected back to protected.example.com with the new JWT token stored in a cookie
  4. The JWT token is then used to verify that the user has access to the site

nprail avatar Jan 24 '19 13:01 nprail