OAuthReceiver: required params question

[vajnorcan]

Hi guys,

I'm giving this package a try, and while I understand there are different implementations of OAuth (probably), I don't seem to get the requirement of providing the 'tokenUrl' and 'clientId', 'clientSecret??' to the OAuthReceiver...

If I understand it right, OAuthSender and OAuthReceiver are supposed to co-exist. I use OAuthSender to open the oauth provider's gate, once the user provides the username/pwd, the oauth gate will return me the basic info as:

• token,
• clientId..
• ...

I would expect the OAuthReceiver just to parse the incoming params and provide the success/fails hooks. Why is it required for the OAuthReceiver to provide him the 'clientSecret' (user has already signed in!) and 'tokenUrl' (if token has been already received)..

Also, another question would be regarding the redirect in onOAuthSuccess callback after the successful login ... the from or to (depends on how you look at it). Wouldn't that be always empty as it's effectively a redirect from the OAuth providers gate that's happening?

1. User opens the react app
2. Clicks the protected route and I prompt him to loging to the auth provider
3. He clicks and then the react app pretty much unmounts (losing all the router state)
4. OAuth gate opens, user signs in, and the gate then redirects to the redirect uri (our application)
5. Our application initializes again, how the receiver then knows what was the last state.from ??

You see, I'm trying to do the protected routes with dynamic routes and I was hoping this would help me to resolve my issues, but it seems like I'll have to dynamically update the redirectURI to reflect the target url.

thanks.

[burnedikt]

I'm giving this package a try, and while I understand there are different implementations of OAuth (probably), I don't seem to get the requirement of providing the 'tokenUrl' and 'clientId', 'clientSecret??' to the OAuthReceiver...
[...]
I would expect the OAuthReceiver just to parse the incoming params and provide the success/fails hooks. Why is it required for the OAuthReceiver to provide him the 'clientSecret' (user has already signed in!) and 'tokenUrl' (if token has been already received)..

The way the OAuth2 Authorization Code Grant works, the OAuthReceiver does indeed not receive the user's access token right away but it instead receives an Authorization Code which it then exchanges for the actual Access Token. And to obtain the Access Token based on the received Authorization Code, the OAuthReceiver must again provide clientId and clientSecret so the server can authenticate the client.

If the Server returned the Access Token right away, this would be the Implicit Grant, which is discouraged for use in client-side / Javascript apps because of security implications.

Also, another question would be regarding the redirect in onOAuthSuccess callback after the successful login ... the from or to (depends on how you look at it). Wouldn't that be always empty as it's effectively a redirect from the OAuth providers gate that's happening?

The state object is sent along to the server and returned again once the server redirects back to the react application, i.e. the state obtained by the OAuthReceiver will be the same as the one you pass to the OAuthSender.