0

I'm completely new to OAuth, and have a workflow question. I'm using node/express/passport, and have successfully set up the app to redirect when requesting my /auth/google endpoint.

However, I consistently get routed to the Google permissions page where I have to offer my application access to my information. What is the mechanism by which I could log in/out without providing that access every time? Essentially, how do I let users log in without requesting permissions again, but still let them log in through Google?

Corbfon
  • 3,514
  • 1
  • 13
  • 24
  • I would recommend reading this, http://nodexperts.com/blog/salesforce-oauth-using-nodejs/, It's not about google-OAuth but you will get some basics about it and how oauth works – Mukul Jain Jun 18 '17 at 04:26
  • @myke_11j thanks I'll definitely read it! – Corbfon Jun 19 '17 at 10:16

1 Answers1

0

The typical flow is to have your users log in on Google, like you're doing. Once they confirm your application's requested scopes, Google can provide your server with an authorization code which can be traded for an access / refresh token to be stored and used in the future.

Passport should abstract a lot of the back and forth away from you, though. Are you utilizing this library? And if so, are you storing the access and refresh tokens in your own local database for re-use (or at least the refresh token, so you can get a new valid access token when you need it)?

dvlsg
  • 5,378
  • 2
  • 29
  • 34
  • So this seems like a helpful path! None of the tutorials I've done have mentioned actually using the access or refresh tokens. I am using the library you linked. My question is now when/how should I save the access and refresh tokens, and how to provide them to passport – Corbfon Jun 17 '17 at 23:39
  • It sort of depends on how you intend on _using_ the token. If it's just a way to let users log in with google, then you should consider sessions with a link to a user in a database, as well as a place to store the refresh / access token associated to that user. The example doesn't show storing the tokens, for some reason, but you will have to do that _somewhere_ if you don't want your users to log in each time. Securely, preferably. Then you'll want to use something like [this](https://developers.google.com/identity/protocols/OAuth2UserAgent#validate-access-token) to validate the linked token. – dvlsg Jun 18 '17 at 04:03
  • You'll want to look at the `deserializeUser` and `serializeUser` methods from `passport` as well, since those are typically how you marshal users in and out of your database in the context of `passport`. [Docs here](http://passportjs.org/docs/configure), but you'll have to scroll down a bit to see those methods. – dvlsg Jun 18 '17 at 04:08
  • So I've read about using cloud memcaches and express-session for storing session information across multiple instances. Are those stable/persistent enough to store the tokens long term? If so, then I'd add the Google login button to the site, on press I would have passport try to authorize them, and if it failed I would redirect them to the permissions page. Does that sound close to correct? – Corbfon Jun 19 '17 at 10:15
  • It sounds like memcache is a little bit more volatile than you're looking for. I suppose it comes down to whether or not you want the sessions to be maintainable if your server goes down for whatever reason. If the answer is yes, you probably want a more traditional database. Then you could load the user information from the database, and store it with the more volatile session for quicker lookup (so you don't have to go back to the database every time you need to look up user data). – dvlsg Jun 19 '17 at 23:55
  • k, so I've already got a database along w/ middleware set up for authenticating users using my own system. So, I can easily store/access any information associated with the user. But I'm clueless on what I need to store/how I need to provide it to passport for authenticating. Tutorials are almost all surface-level and take passport to be 'black magic.' Any suggestions/hints? – Corbfon Jun 21 '17 at 02:19
  • I'm doing authentication w/ JWT and the expiration is set for a very long time from now (years) so that users don't have to log in again. Wanted it to be like Facebook in that way. Maybe there's a way to implement something like this with passport and google auth? – Corbfon Jun 21 '17 at 02:35
  • Passport is always a bit magical, in my experience. I've been using it for a while, and I still dislike having to dig through it to resolve issues. But to provide `User` information to passport, you'll want to look at the `serializeUser` and `deserializeUser` methods. Those will magically place the user on / take the user from the `req` object as a call goes through your middleware. [This may help you](https://stackoverflow.com/questions/27637609/understanding-passport-serialize-deserialize). – dvlsg Jun 21 '17 at 16:38
  • thanks for your help man, I certainly don't have it figured out quite yet (and also have been distracted by other problems recently). The `serialize` functions might have some functionality I'm missing. I'll try to play with them more and will come back here once I've made some progress – Corbfon Jun 30 '17 at 03:13