Replies: 1 comment
-
Must admit, I haven't taken the time to study any of this, but it does sound very familiar to the Google provider. For example, Google One Tap Sign-In allows for signing in via an ID token. You can check that for reference. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I would like to get opinions on what's the best way to implement Facebook's Limited Login.
It's a JWT-based scheme with the JWT obtained out-of-band and we should merely validate it and extract user metadata from it. This JWT does not allow access to any Facebook APIs - it's purely there as an assertion to say "I am Facebook and am vouching for this user with this ID and this metadata".
Now for the fun bit - the UIDs are shared between this and the main Facebook provider, and we must thus support both flows within the same provider (a user will use Limited Login on iOS, but normal oAuth2-based login on web for example - Limited Login doesn't seem to exist on the web). We can't use separate providers because otherwise a user would end up with 2 social logins against their account - one from the limited login provider and one from the normal provider.
The problem I see is that the existing Facebook provider is heavily biased towards oAuth2 and in fact relies on access to the Graph API. I am thinking, as a hack/proof of concept:
verify_token
function to check if there is anid_token
in thetoken
kwargflows.verify_limited_login_token
(copied fromflows.verify_token
)that function will create a- edit: I don't thinkSocialToken
with the JWT in thetoken
kwargSocialToken
is mandatory, so in this case we skip it as we don't actually have a real token that allows Graph API accessprovider.sociallogin_from_response(request, extra_data)
with theextra_data
being the JWT metadata such as email, name, etc - mimicking what would normally be a Graph API responseSocialToken.token
is a valid bearer token for the Graph APIOther thoughts to consider:
Any thoughts/suggestions on this? I will be happy to submit PRs.
Beta Was this translation helpful? Give feedback.
All reactions