User Auth with Electron


#1

Didn’t find many resources on this with Google. How would basic user auth be done in an electron app? I want users to be able to authenticate with third party services (like login with Github, for example.).

Can I use something like passport.js and integrate like any other Node app?

Im just looking for an overview on this process and what things I need to look into.

Thanks!


#2

Is this a real issue? If im using third party services like pubnub, where else would I store my client keys?


#3

I use Firebase, and given the free Google for who is starting. https://firebase.google.com/


#4

Can you explain the process you went through when integrating?

I’ve recently tried Auth0 with Electron, but have ran into several issues. Ideally, I would like to do this without a third party service, and perhaps just use a library like Passport.js. The issue is, Passport.js is usually used server side and unlike with Electron, storing secret keys is not a problem in that scenario.

I am appalled at the lack of documentation and examples of user auth with Electron, given that it must be be a common feature in most applications.


#5

Then I use the firebase in electron as if I used on a any web site. Firebase even provides npm package to be used directly with node.js however as it was made to run on the server side ends up not being safe to use in electron. try reading the documentation on this link.

https://firebase.google.com/docs/web/setup

I apologize for any error writing because I am Brazilian and I am still learning to speak English.


#6

Being appalled is a bit of an overreaction. There is a wealth of blogs and examples regarding Node, and I expect that any front-end framework you choose has preferred authentication methods and plugins to seamlessly integrate them. There is no need for the Electron team to reinvent the manual for a subject matter that isn’t Electron-specific.


#7

I agree that being appalled is a bit of an over reaction.

However, the fact of the matter is that storing API secrets on the client is not a wise thing to do in terms of security. As of now, to do Oauth within an electron application, the client secret and keys would have to be packaged into the app.


#8

This is one of the exact issues i’m referring to. This same concern is voiced in the comments of this tutorial: http://manos.im/blog/electron-oauth-with-github/

I disagree, this is an important issue regarding a feature that affects many, many apps built with Electron. As stated in the comments both above and below yours, security in an Electron client side app is important and something that needs to be addressed.

I am aware of the many online examples and tutorials for Node.js and relevant front-end technologies, but as Electron is client side it cannot be treated as a traditional node app.

Good docs and examples are always important.

Yes, this is a real concern and I have yet to find an official response or solution to it.


#9

First I’d suggest that everyone reads https://tools.ietf.org/html/draft-ietf-oauth-native-apps-05 for some background info.

It’s up to the OAuth provider to document how to use their services in native/desktop apps, here’s the relevant doc for Goolge OAuth:
https://developers.google.com/identity/protocols/OAuth2InstalledApp

With sample apps:

If you look at the sample apps they have a client_secret embedded in the code, but it’s not really secret in this context:



#10

Look I do not know if you’ve worked with firebase but he has support login with several third-party services like facebook, github, google …

And if you implement it in electron you must use the javascript version for web and not the version for nodejs.

In this way it will work as if it worked on a any web site. I use this way and have no problems. I think you should check out the firebase documentation and see how it works.

I apologize for any error writing because I am Brazilian and I am still learning to speak English.


#11

I’d really like to roll my own authentication instead of using something like Firebase. I have a separate node application which contains an api that my electron app uses. I’m thinking I could possibly utilize something like Passport.js to implement an accounts solution.


#12

There are actually modules that helps you to work oauth and oauth2 with electron:

If you do not want to depent on third party apps, this is your best shot:
https://www.npmjs.com/package/electron-oauth2

otherwise, you could use auth0.com API if you want to rely in third party apps.

@RodriguesCosta One thing is web based authentication , another completelly different from electron. Before you post, please do an extensive research in how to do it.

Regarding the secret key: you could store it if it is for persistent connections, but if you want the user to authenticate each time the app launches, then I guess it is up to the developer what action to take.


#13

Thanks, that was very helpful.

I finally got around to integrating Google OAuth in my application.

I was previously trying to integrate Trello with my application but Trello does not support OAuth 2.0 and thus cannot be integrated securely.

Google seems to have the best documentation around for using OAuth 2.0 in installed apps.


#14

I made easy-to-use helper library for OAuth1 and OAuth2.

https://github.com/mironal/electron-oauth-helper.

Try to use, if good!


#15

That still involves sharing the secret in the config file, which is NOT secure at all.


#16

@RodriguesCosta I tried to do like web as you suggested but this is the error I am getting.