Hi, I could not find much mention of oauth with servant using google search. Is it possible to use oauth with servant, are there any working examples? If not, is this just difficult or impossible? If not impossible, how can it be achieved? Thanks, Harendra |
Hello, We currently have two solutions for auth: the one that comes with servant (https://haskell-servant.readthedocs.io/en/stable/tutorial/Authentication.html) and https://github.com/haskell-servant/servant-auth which is younger but will hopefully one day make the former stuffs obsolete. However, none of them have support for OAuth out of the box. This google search: https://www.google.fr/search?q=hmac+auth+servant&oq=hmac+auth+servant shows a package and an example for HMAC though. https://gist.github.com/freckletonj/17eec8959718cb251f29af3645112f4a also shows some OAuth support but it only has code to be invoked in handlers, not some proper support that makes it as easy to use as other auth schemes. It's definitely not impossible to have OAuth protection usable out of the box, it's mostly about having someone who cares enough and has enough time to make it happen. Are you that person? :) I can already give a few hints at what needs to be done. First and foremost, you need to have some code like in the gist above to talk to some OAuth provider/server in order to authenticate and get an access token or something along those lines. Once you have that, then you just have to wire it up to the generalized auth machinery (https://haskell-servant.readthedocs.io/en/stable/tutorial/Authentication.html#generalized-authentication). The "extract dummy cookie and check against DB" step would be replaced by the discussion with the OAuth server and possibly some additional (user-supplied) check? It's pretty easy to make things like the OAuth server and some secrets/keys/etc configurable so feel free to completely ignore this aspect for now and use hardcoded values. I can show you how to make it all configurable later, if you don't figure it out on your own by then. This also sums up pretty well what would have to be done to add OAuth support to servant-auth, a lot of code could in fact be shared between both choices, it's just the final "wiring up" that changes. Anyway, this email is long enough already. If you're motivated, let me know, we'll make this happen if you don't mind a liiiiiittle bit of lag on my end as I'm on holiday at the moment. Feel free to already ask more specific questions. On Wed, Jan 3, 2018 at 2:13 PM, Harendra Kumar <[hidden email]> wrote:
Alp Mestanogullari
|
Opps, didn't hit "reply all".
-- ---------- Forwarded message ---------- From: Alp Mestanogullari <[hidden email]> Date: Sat, Jan 6, 2018 at 7:00 AM Subject: Re: OAuth with servant To: Harendra Kumar <[hidden email]> Hello, I'm very glad you got hmac auth working! Regarding the suggestion for the tutorial, would you perhaps mind opening an issue (or even better, a tentative PR) with what you have in mind? The fact that you can always define your own combinators or that you can embed arbitrary WAI applications pretty much means that you can do anything. If you have any good wording for this, I'll take it! :) On Thu, Jan 4, 2018 at 6:46 AM, Harendra Kumar <[hidden email]> wrote:
Alp Mestanogullari
Alp Mestanogullari
|
Free forum by Nabble | Edit this page |