So I’ve been struggling a bit with the whole oauth2/openid connect dumpster fire of a spec and its implementations. What I need is to have a separate api on a separate server, and whatever front end wherever it lives (mobile/web/desktop/other). This is the basic premise behind “microservices”. Here is the specific requirement:
- The user visits my website on the web in chrome.
- They see a “login with google” button
- They go through the oauth2 login flow via google.
- Now the user should be able to use the front end, which calls protected endpoints on the backend.
- The user should be able to logout and log back in and “refresh” their login if they visit within a certain amount of time initially after logging in.
So I’ve tried various oauth libraries (dj_all_auth, oauth toolkit, dj_social_auth, etc etc etc the list goes on with so many defunct/poorly documented oauth2 libs). None of them do this. They all authenticate and make requests to GOOGLE’s api on behalf of the user but you’re left implementing JWT from scratch for your own api. This is not what I want and this seems to be the worst practice (authentication should be pluggble or whatever). I’m able to sign up my app with google to let them know I have an app requesting oauth2, get the client id/secret, retrieve some auth code and send it to google for an access code FOR GOOGLE’s API. I need to get an access code based on if the user was able to log into a google account for MY API. I’m wondering is if I’m supposed to implement this JWT token based on Google’s JWT token from scratch (because all of the libraries that do jwt in the django ecosystem require password against a database). This won’t work because Google’s access token is always different. Is there anything that actually does the flow of “log into Google, now you can use MY application/apis” ?? It seems like a pipe dream at this point, yet I see all of these sites that create user accounts without requiring passwords, simply by logging into google/facebook/twitter/whatever.
To further show what I’ve looked at:
Oauth toolkit requires you to become the oauth2 provider. Not what i’m looking for
simplejwt. Requires password and no way the user is going to provide password for the jwt token. That ruins the entire point of oauth2 and federated login.
django_all_auth/dj_all_auth/whatever_all_auth. Only authenticates you against google’s api. Not what i’m looking for.
react plugins for google oauth2. Now i have to implement jwt from scratch and again, issuing tokens from scratch from the DRF side requires passwords, if i’m using the pluggable simplejwt functionality.
python_social_auth. Same problem as the all_auth libraries. only for google apis.