I understand OAuth2 (at least, as its defined in RFC6749) pretty well. I've also read through a good bit of the OIDC specs.
Context:
- I am building a web application that allows external users to sign-in.
- I am using a React for the front-end, in the style of a single-page application.
- I do not want to use session cookies for authn/authz against my REST API. I want to handle authn/authz via bearer tokens either as a header or in a cookie.
- I'm not exactly sure what third-party Oauth2 servers and/or third-party OIDC servers I want to allow yet (Google, Twitter, Discord most likely).
- I can imagine eventually needing access to a user's Google docs, their Twitter feed, and their Discord information as well.
- I imagine that I'll eventually need to come up with some sort of workflow that prompts the user to authorize my app to access their Google docs, Twitter feeds, and Discord information.
- I know I'll need to store the OAuth access token in the backend; my front-end does not really need the token.
- I have no interest in becoming an identity provider to other applications. In other words, I don't want implement an OpenID Connect identity provider.
- But, I am interested in delegating resources that I own to other services. In other words, I am interested in implementing an OAuth2 authorization server.
Where I'm a bit confused about is how I handle the authn/authz against my API without using sessions, and if/how this relates to external authn/authz.
So. we begin with a fairly run-of-the-mill OAuth2/OIDC flow:
- User clicks a "Login with xxx" button to initiate an OIDC flow with 3rd party auth server.
- If 3rd party does not support OIDC, I can also use OAuth2 and request a scope (usually something like email) that I can later use to retrieve user ID information from the 3rd party.
- User completes OIDC/OAuth2 flow in a pop-up window. I intend to use the authorization code grant.
- 3rd party redirects to user (in pop-up window) to a route on my backend that receives the authorization code. On the backend, I exchange it for the OAuth2 access token and refresh token. For OIDC, I'll also get an ID token. I store the all the tokens in my database.
- If this was an OAuth2 flow, I use the access token to retrieve user identity from the 3rd-party.
- Using either the OIDC token or the user identity information I got from step 3, I check if the user exists. If not, I create it.
- I now "log" the user in...
Most OAuth2/OIDC information I can find online stops here. I've completed the OAuth2/OIDC flow.
But, the token I have is issued by a 3rd-party. It could actually be from any one of my 3rd party providers. How do I use this token for auth against my REST API?
Or, do I implement my own OAuth2 authorization server myself and issue a new access token?
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
