I am trying to design the authentication flow of an Ember application with a Rails backend. I basically want to authenticate users via Google/Facebook/etc., I do not want to provide an 'independent' authentication service. I do want to maintain a list of users of course on the server side, potentially merging different authentications from different sources into the same user. I will not interact on behalf of the user on Google/Facebook from the client side, but I will do that on the server side.
For the above reason I was planning to do the following:
-
I will use torii to fetch an auth_token on the client side and I will pass that onto the server side, where I will validate it, convert it into an access token.
-
I will generate a custom token on the server side which I will send back to the client and require all further API calls to be accompanied by that token. I will not share the access token with the client at all.
Would you say that this is an optimal flow?
In terms of implementation, I have been able to get auth_tokens from the different providers using the example here. I am completely unsure however:
- if I need ember-simple-auth or only torii (how do these two complement each other?)
-
how do I pass the auth token to the server side? With the code below I can get the auth token, but is this the proper place to implement the call to the API?
export default Ember.Route.extend({ actions: { googleLogin: function() { var _this = this; this.get('session').authenticate('simple-auth-authenticator:torii', 'google-oauth2').then( function() {console.log(_this.get('session.secure.authorizationCode'));} ); return; }, facebookLogin: function() { this.get('session').authenticate('simple-auth-authenticator:torii', 'facebook-oauth2'); return; } } }); -
how do I make all further requests to the API to be accompanied by a specific token?
- should I use devise on the server side to make it easier or not?
Aucun commentaire:
Enregistrer un commentaire