With respect, this is yet another library that should be a small piece of open source software rather than a hosted service which I'll probably eventually have to pay for and which is likely to eventually go defunct, requiring me to rewrite my code to use another library. It's useful, but not big and important enough to be its own service. Grump.
Occasionally I wonder whether the mantra to "solve your own problems" when looking for startup ideas is making things harder for ourselves.
We stand on the shoulders of giants, the least we can do is help lift others to that level.
If you were to build a business by implementing other people's cloud based product, be it an OAuth provider, MapBox, Embedly, Mailgun, AWS, etc... the barrier to profitability has been raised significantly. The raw costs remain low, but the costs for even a low number of users is quite high.
Maybe this is just the natural order though. It's never really been possible for the author of a lib to be able to charge, let alone charge on a recurring basis, before.
Interesting. It took me a minute to figure out what you're actually doing here, but once I found the important bit on the page ("Setup your API Keys in OAuth.io"), I can at least be confident this isn't a glaring security concern. :) And yes, that was a legitimate concern when I first looked at it, given how little information is currently available.
While building https://foauth.org/, I had wondered if it'd be possible to do something like this, but it wasn't really my use case so I didn't really pursue it. I was more interested in people just trying to get access to their own data, so I built a solution for that side of things.
Still, I can speak from experience that wrangling 50+ OAuth providers into a single system is hard enough, and trying to provide a unified API to all of them is even harder. I'm not sure how many sites need to support that many sites, but for people like us trying to simplify the API for others, it becomes a pretty big necessity. As it is, https://github.com/gulopine/foauth.org/tree/master/services is something of a living tribute to the differences between the various service providers.
So yeah, I'll be very interested to see where OAuth.io goes, and for anybody else here who just wants to get their own data (but not run your own service), you might also want to checkout https://foauth.org/.
There's no shortage of simple OAuth consumer libraries out there, what I really want to see is a simple way to set up my app as an OAuth _provider_. As far as I know there's nothing out there to make that simple yet.
Or even if there was a simple, detailed guide on what your own OAuth needs to do to be secure - and a basic overview of how to implement it (not language specific, just concept-wise).
Well if you implement OAuth 2 properly, you'll prevent session fixation and hijacking attacks, and with https you will also prevent man-in-the-middle attacks.
The hueniverse guy was one of the people drafting the standard and as far as I can tell he laments that the providers can return a "bearer token" instead of a "mac token". That means the token is sent on every request to the provider, and without https it can be intercepted. But with https everything is fine!
OAuth 1.0 didn't rely on https to prevent MITM attacks an instead used the "mac token" to sign each request to the provider, along with an increasing timestamp/nonce to prevent replay attacks.
I don't know what language you use, but we wrote an open-source Ruby app called Vanilla [1] that acts as a generic OAuth provider. Maybe it can be useful to you, either directly or as an example.
Vanilla is a Sinatra app, exposes a simple API and user database, and the UI is rendered entirely through webhooks. In other words, it's designed to be a headless system that works in concert with a real app, so that the app itself does not need to implement OAuth or indeed the core account handling.
(Some parts, like the ability to sign up by verifying your phone through an SMS code, are very specific to our workflow, but it's intended to be completely generic, so those things can be changed.)
That said, OAuth 2.0 is very simple to implement. It's pretty much entirely encapsulated in oauth.rb, token.rb and authorization.rb, if you want some inspiration.
Sure there is. http://framework.qbix.com does it out for you out of the box. But then again, we haven't launched it yet, so I apologize... but reach out to me if you want early access.
However I should say that our framework takes a different philosophy. We believe that web apps shouldn't have to ask for OAuth access at all just to personalize the experience for you. They can ask the provider to display to you your name and everything else, in iframes that they can't get visibility into. Although I dislike patents, the whole system was non obvious enough to file one for the investors: http://www.faqs.org/patents/app/20120110469#b
We use oauth mainly for single sign-on, and the access permissions are actually a special case of an app requesting access to various streams you publish. In our framework, the app simply has a user id just like any other user, and can request access to your stream just like any other user. You can put users into friends, family, admins or any other roles, and then give them permissions on various streams.
that is actually totally not true. not if you want to use it in javascript apps that is, ie. a chrome extension.
currently the only good way to use google's v3 api's, which are oauth 2.0, is to use their new experimental identity library. you can however not deploy that in the play store afair. that said, i'd be surprised if this thing just worked in chrome extensions. but if it does it's useful i guess
Ah, cool. I'm kind of interested in how you work on the security aspects of it (will you give guidance on how to configure your client info for the various APIs (what do I fill in for all of the different URIs in my Facebook app config?), as well as more complicated scenarios (storing tokens in DB, associating tokens to accounts, etc.)
The most confusing thing to me about this page was the changing provider names. I was looking at the page and could tell that something was changing but it took me about 15 seconds to figure out what it was.
Hah.. I actually read this comment first and I was STILL just staring at my screen completely dumfounded. I'd see the little animation on the right update, and then something else would change. It was mystifying.
Made it really hard for me to focus on the content. I know exactly what was changing, and it wasn't that much, but it took a really long time (in comparison) to read the examples.
Shameless plug: We wrote a backend app, Checkpoint, that works similarly to this. It's open source [1] and in use with a number of production apps. Admittedly it does not have the JavaScript stuff, but that's easy enough to add.
Basically, Checkpoint is a facade that abstracts authentication into a simple API. You set up Checkpoint with your OAuth keys (for, say, Facebook), then just redirect your app to /login/facebook. Checkpoint will do the OAuth interaction and return to your app with a key that can be used to access the login session.
Checkpoint abstracts the notion of logins into identities and accounts. An identity corresponds to a user, and can have more than one account associated with it. Identities are logically partitioned by "realm", so it's ready for federated installations.
If you'd like something similar to this that's available today, check out our startup: https://www.dailycred.com/
We also support email & password (using the same OAuth API) and Mozilla Persona, as well as take care of headaches like password reset, email validation, and account de-duplication (for example, if a user signs in using Facebook on day one and then email on day two).
Best of luck to oauth.io however -- the simple js approach is interesting.
+1 for the animated image or gif or whatever, instantly caught my attention. I would maybe speed it up however, I was curiously awaiting to see the full animation.
The idea is to point the user to your oauth-flow route and they will complete the oauth flow. your middleware will then be called with req.oauth containing all received oauth credentials and the url containing all the original parameters.
In short - it doesn't assume that you want to use oauth for user authentication and authorization.
Maybe you just want users to add their dropbox or box account to an existing account. Maybe you need to make a one-time call to a service in their name.
Passport and everyauth simply assume too much: that you will need an authentication strategy, that the strategy will have a getter function for the user, that you actually have users...
oauth-flow just implements the authorization flow: redirects the user to the oauth provider (facebook, twitter, etc), then when the user returns, they return at the same URL and the next middleware is called with req.oauth containing all oauth data such as tokens.
Then you can do whatever you want with those - make an API call, authorize the user using their external ID, register a new user...
Its a smaller, more focused module, better aligned with the principle of doing one thing only and doing it well. And it doesn't require adding any global middleware inside the app.configure block such as in passport.
I was getting so impatient waiting for the stubborn programmer animation to finish. Inspect -> sources -> stubborn.js -> ohhhhhh... well done.
On the other hand, I first thought this was a Facebook thing since it started with "Setup your Facebook API Keys in OAuth.io". Perhaps something like "Setup API keys for the provider of your choice in OAuth.io"?
Comments on the animated UI aside, as someone who recently pulled their hair out trying to get StackOverflow oauth working, a simple solution would be extremely welcome.
My scalp shall thank you!
Yes, it really is not. OAuth on mobile is frustrating experience of matching up responses and posts and figuring out which of the 5-10 variables and secrets or keys or tokens to give.
There is a little too much changing text going on in my opinion. It was difficult to read the sample code because my eyes kept jumping to the changing text all over the screen.
Edit: It looks like you changed the intervals. Much better now.
