110 lines
2.8 KiB
Markdown
110 lines
2.8 KiB
Markdown
|
|
## OAuth flow
|
|
|
|
Authorization code flow:
|
|
|
|
http://localhost:7777/oauth/authorize?client_id=client-id&state=123456&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A7000%2Fcallback&state=dvoQ6Jtv0PV68tBUgUMM035oFiZw57
|
|
|
|
Implicit flow:
|
|
http://localhost:7777/oauth/authorize?client_id=client-id&state=123456&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%3A7000%2Fcallback&state=dvoQ6Jtv0PV68tBUgUMM035oFiZw57
|
|
|
|
Exchange the code to get the token with `{code}` replaced by the code obtained in previous step.
|
|
|
|
http -f -a client-id:client-secret http://localhost:7777/oauth/token grant_type=authorization_code code={code}
|
|
|
|
Get user info:
|
|
|
|
http http://localhost:7777/oauth/user_info 'Authorization:Bearer {token}'
|
|
|
|
|
|
## Template structure
|
|
|
|
base
|
|
single: for login, register page
|
|
default: for all pages when user log ins
|
|
|
|
## How to create new migration
|
|
|
|
Whenever the model changes, a new migration needs to be created
|
|
|
|
Set the database connection to use staging environment:
|
|
|
|
> ln -sf ~/config/simplelogin/staging.env .env
|
|
|
|
Generate the migration script and make sure to review it:
|
|
|
|
> flask db migrate
|
|
|
|
## Code structure
|
|
|
|
local_data/: contain files used only locally. In deployment, these files should be replaced.
|
|
- jwtRS256.key: generated using
|
|
|
|
```bash
|
|
ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
|
|
# Don't add passphrase
|
|
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
|
|
```
|
|
|
|
## OpenID, OAuth2 response_type & scope
|
|
|
|
According to https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
|
|
|
|
- `response_type` can be either `code, token, id_token` or any combination.
|
|
- `scope` can contain `openid` or not
|
|
|
|
Below is the different combinations that are taken into account until now:
|
|
|
|
response_type=code
|
|
scope:
|
|
with `openid` in scope, return `id_token` at /token: OK
|
|
without: OK
|
|
|
|
response_type=token
|
|
scope:
|
|
with and without `openid`, nothing to do: OK
|
|
|
|
response_type=id_token
|
|
return `id_token` in /authorization endpoint
|
|
|
|
response_type=id_token token
|
|
return `id_token` in addition to `access_token` in /authorization endpoint
|
|
|
|
response_type=id_token code
|
|
return `id_token` in addition to `authorization_code` in /authorization endpoint
|
|
|
|
|
|
## API endpoints for extension
|
|
|
|
```
|
|
GET /alias/options hostname?="www.groupon.com"
|
|
recommendation?:
|
|
alias: www_groupon_com@simplelogin.co
|
|
hostname: www.groupon.com
|
|
|
|
custom?:
|
|
suggestion: www_groupon_com
|
|
suffix: [@my_domain.com, .abcde@simplelogin.co]
|
|
|
|
can_create_custom: true
|
|
can_create_random: true
|
|
|
|
existing:
|
|
[email1, email2, ...]
|
|
|
|
POST /alias/custom/new
|
|
prefix: www_groupon_com
|
|
suffix: @my_domain.com
|
|
|
|
201 -> OK {alias: "www_groupon_com@my_domain.com"}
|
|
409 -> duplicated
|
|
|
|
POST /alias/random/new
|
|
201 -> OK {alias: "random_word@simplelogin.co"}
|
|
|
|
```
|
|
|
|
|
|
|
|
|