-
Notifications
You must be signed in to change notification settings - Fork 102
Help: Wanting to do login post-password-reset #48
Comments
Hmmm, not that I use this module, but I know a tiny bit about Devise and Oauth in general. Your scenario seems odd though:
If you're happy with your current implementation and just want to create the OAuth2 token for the user, you can try to find the code you need in here (I picked out a few relevant lines).
|
Thanks for the reply. No, my scenario is pretty much the standard flow for Devise password reset. From a UI the user uses a forgot form to post a request for a password reset link At this point I want to differ from the normal flow. The password is now reset, and I want to render a JSON response (no cookies) which contains tokens for a new session so the user can use them straight away, rather than having to go through the UI's login step. This sounds reasonable and as-secure to me. I'd be interested to hear if you disagree. I think with your code snippet below though I should be able to achieve what I'm after. Many thanks On 16 Feb 2013, at 10:27, goofrider [email protected] wrote:
|
Hi Adam, Thanks for the clarification. I thought about your scenarios and also looked into the varies modules' source code looking for some ideas. From the sound of it, you're asking for the user's username and password from your UI and then login by calling the /sign_in route using JSON API, aren't you? I'm pretty sure you're not supposed to ask for the user password directly in an Oauth2 client. From the client, you're supposed to redirect the user to the OAuth authorization endpoint (/oauth2/authoize) on the Oauth provider's website, only then the user enter the username/password directly to the provider's login dialog, afterwards the provider redirect to the callback URL on the client side with the access token, the token it returns encapsulate the uid/auth combo. The username and password is never revealed to the Oauth client. That's how OAuth supposed to work. Are you using an Oauth client gem/library on the client app? If you use a pre-baked Oauth library, this should all be very obvious to you, as those libraries never ask for uid/pwd. All the redirections is handled for you. We need to get you back on the standard Oauth flow first, because all the underlying layers depend on it. Here's the normal Oauth flow:
There's also a lot more to this though when we add password reset to the equation. I was trying to look into the codebase and figure out how to get a completely in-app password reset flow, and found a few places in the code where they might make that kind of flow impossible. But that reply is really long and need some major editing I really don't have all the answers. Maybe someone more familiar with Devise, Oauth2Proviable and the underlying layers can explain better than I do. But I'll post that part of the reply later after some cleanup, hopefully it'll at least point you in the right direction. |
OK, in order to satisfy my curiousity, I rolled a test Oauth2 client/server setup with devise_oauth2_providable using this test suite (with caveat): https://github.com/ZenCocoon/testoauth2provider Here's how the normal Oauth login flow is (without password reset): [client/server] indicates what's directly facing the user at that stage
As long as you follow the normal Oauth flow, the password reset process will just become a longer version of step 3, and the user should be redirected back to your app, theoretically. I went ahead and did some real testing and see what really happens during this password reset process: A. Start the OAuth flow from the client, it redirects me to the server, I click on password reset. Then I paste the password reset link in the same window the client initiated, change the password, hit "authorize", and got redirected back to the app nicely. B. Do the same thing to initiate OAuth from the client side and click password reset, but this time, I open a new browser tab to paste in the password reset link. After the password reset I was logged in at the server but didn't get redirect to the client app. Furthermore, when I go back to the client app and try to sign-in via OAuth, I still have to enter username and password, even though the server thinks I'm still logged in in the other browser tab. So there you have it. If you get your client app's oauth process back to spec, and somehow keep the password reset in the client-initiated window, the user will get redirect back to the client app. Hope that's enough for you to start with. Looks to me there's some pretty good browser session isolation implemented here, I must say. EDIT: I should note that testoauth2client didn't work with testoauth2provider out of the box, turns out testoauth2client's Oauth initiation has a params[:state] by default and check if the server response matches (it's for CRSF protection). testoauth2provider didn't have that enabled, and raised a non-descriptive CallbackError on the client side that took me forever to track down. In the test above I just set :provider_ignores_state to TRUE in testoauth2client. Not sure if the whole password reset process will break the Oauth params[:state] checking. You should try it out yourself to be sure. |
Hi, sorry to file this under issues, but I thought this might be a common enough question.
I'm attempting to do an auto-login after password-reset within devise's passwords controller.
I can't figure out how to do this, and thought perhaps you could suggest an approach.
The snippet looks a lot like the standard passwords controller, but I'm returning a JSON only response.
Any help would be much appreciated
The text was updated successfully, but these errors were encountered: