Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Mangadex OAuth/OpenID Connect #83

Open
thedrummeraki opened this issue Dec 7, 2022 · 1 comment
Open

Use Mangadex OAuth/OpenID Connect #83

thedrummeraki opened this issue Dec 7, 2022 · 1 comment
Labels
auth critical

Comments

@thedrummeraki
Copy link
Owner

Context from Mangadex announcement: https://discord.com/channels/403905762268545024/839817812012826644/1050086487431053363

Quote:

This will happen over a longer-than-usual deprecation period, mainly because we don't know for sure what 3rd-party clients will need from it in terms of adjustments.
If you want your client to work with it long term, now (ie over the next few weeks) is the right time to actually test it out and report to us.
There is no huge rush, as we will support both the old raw username/password and the new OAuth system concurrently, but eventually we'll remove the old one once we believe all fair third-party client demands are addressed.

For now, the following are the relevant resources you will want:
1. The OAuth-aware API instance to use is at: https://api.mangadex.dev/. Note the .dev. It is NOT live on our live API yet.
- The API should accept tokens from that identity provider for any audience in place of the old authentication system's session/refresh tokens. It's the same Authorization Bearer header setup as on the main site once you have your tokens.
- /auth/login and /auth/refresh still exist and work; this is for backwards compatibility; if you use them you're not actually testing the OAuth setup
- The documentation doesn't mention OAuth yet, we know.

2. The identity provider is at https://auth.mangadex.dev/realms/mangadex
- The openid-configuration is at the standard https://auth.mangadex.dev/realms/mangadex/.well-known/openid-configuration subpath; which is what libraries will likely ask of you if using one
- Your personal account console is at https://auth.mangadex.dev/realms/mangadex/account
- All users have been imported in it with their roles as they were on the main website as of December 4th 2022
  - Your live website credentials as of that date will work on the identity provider login form
  - You may use the forgotten password flow if you forgot/changed them since
  - You may NOT sign up new accounts on it at the moment

3. Registering your OIDC Client
- There isn't currently any way for you to do this. We will obviously address this by the time it goes live.
- For now, you may use the thirdparty-oauth-client public OIDC client with the Authorization Code Flow.
- Its allowed redirect URIs and origins include http://localhost/ on ports (implicit) 80, 8080, 8000, and 3000, and https://localhost/ on ports (implicit) 443 and 8443. Went with the most common ports in the wild. With any subpath you like. If you really need another one ask in #dev-talk-api.
- If you believe your client will need other flows, tell us so we can evaluate and plan around the security measures this will require. If you don't ask, you won't get it.
- But do not waste your time asking for Implicit Flow support just because it's simpler. Use a library instead and the authorization code flow. There are security reasons for why the implicit flow is deprecated everywhere.
@thedrummeraki
Copy link
Owner Author

This would be nice for the gem, but need to investigate and see how this can be implemented, without much knowledge of who's using the gem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth critical
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thedrummeraki