Implementing Implicit OAuth for a package


#1

I am working on a Atom Package which needs to authenticate with StackExchange through Implicit OAuth 2.0.
The problem is, that I never did OAuth before and am not sure what is the best way to implement.

Objective:
Allow users to authenticate with StackExchange using OAuth.

My theoretical implementation:

  1. Open port on localhost:PORT and listen
  2. Call default browser to open stackexchange.com authorization webpage.
  3. On completion redirect to localhost:PORT
  4. Extract received key, reply to the browser to the close tab.
  5. Close localhost:PORT server.

Can anyone suggest whether it is a legit way of implementing OAuth, or there are better solutions available?

Thank you for your help!


#3

I would hope you shouldn’t have to open an external browser just to get authenticated.

I assume you went through all of this?
http://api.stackexchange.com/docs/authentication

Edit:

Desktop Applications

Desktop applications cannot participate directly in OAuth 2.0 flows, however the embeddable browser controls available in most frameworks make it possible to work around this limitation.

Desktop applications should use the implicit client-side flow, hosting the process within a browser control. For redirect_uri, a value of https://stackexchange.com/oauth/login_success should be used. Upon a successful authentication, access_token will be placed in the url hash as with a standard implicit authentication.


#4

Thank you, @batjko.

That clears things out, as I got to the step where it redirects to localhost, but does not pass the key as parameter, instead stores it in #hash of URL.

Any suggestions on how do I open a webpage inside of Atom and then extract Hash?

P.S. Why is it considered bad practice to use default browser for authentication? It allows user to just click “Approve”, without needing to login to the StackExchange. That may end up needing to login to Google account before-hand, and looking up the password, as there is no password manager in embedded browser.


#5

Use the request npm package.


#6

Thank you. I afraid it will be quite a challenge to load the webpage through request, then correctly display it to the user supporting all the javascript and external files.

I might have used wrong word saying open webpage. What I meant is: display a authentication webpage in interactive way to the client, so he can approve the application using OAuth2.


#7

Check out the package web-browser. It has an api that can be called to bring up a web page.


#8

There are several npm packages for this. This one is pretty widely used: