OAuth with servant

Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OAuth with servant

Harendra Kumar
Hi,

I was going through the servant docs and it seems to suggest that oauth is not yet supported, a quote from the docs: "while it really fit for schemes like Basic and JWT, it wasn’t enough to fully support something like OAuth or HMAC, which have flows, roles, and other fancy ceremonies."

I could not find much mention of oauth with servant using google search. Is it possible to use oauth with servant, are there any working examples? If not, is this just difficult or impossible? If not impossible, how can it be achieved?

Thanks,
Harendra

--
Reply | Threaded
Open this post in threaded view
|

Re: OAuth with servant

Alp Mestanogullari
Hello,

We currently have two solutions for auth: the one that comes with servant (https://haskell-servant.readthedocs.io/en/stable/tutorial/Authentication.html) and https://github.com/haskell-servant/servant-auth which is younger but will hopefully one day make the former stuffs obsolete. However, none of them have support for OAuth out of the box. This google search: https://www.google.fr/search?q=hmac+auth+servant&oq=hmac+auth+servant shows a package and an example for HMAC though.

https://gist.github.com/freckletonj/17eec8959718cb251f29af3645112f4a also shows some OAuth support but it only has code to be invoked in handlers, not some proper support that makes it as easy to use as other auth schemes.

It's definitely not impossible to have OAuth protection usable out of the box, it's mostly about having someone who cares enough and has enough time to make it happen. Are you that person? :)

I can already give a few hints at what needs to be done. First and foremost, you need to have some code like in the gist above to talk to some OAuth provider/server in order to authenticate and get an access token or something along those lines. Once you have that, then you just have to wire it up to the generalized auth machinery (https://haskell-servant.readthedocs.io/en/stable/tutorial/Authentication.html#generalized-authentication). The "extract dummy cookie and check against DB" step would be replaced by the discussion with the OAuth server and possibly some additional (user-supplied) check? It's pretty easy to make things like the OAuth server and some secrets/keys/etc configurable so feel free to completely ignore this aspect for now and use hardcoded values. I can show you how to make it all configurable later, if you don't figure it out on your own by then.

This also sums up pretty well what would have to be done to add OAuth support to servant-auth, a lot of code could in fact be shared between both choices, it's just the final "wiring up" that changes.

Anyway, this email is long enough already. If you're motivated, let me know, we'll make this happen if you don't mind a liiiiiittle bit of lag on my end as I'm on holiday at the moment. Feel free to already ask more specific questions.

On Wed, Jan 3, 2018 at 2:13 PM, Harendra Kumar <[hidden email]> wrote:
Hi,

I was going through the servant docs and it seems to suggest that oauth is not yet supported, a quote from the docs: "while it really fit for schemes like Basic and JWT, it wasn’t enough to fully support something like OAuth or HMAC, which have flows, roles, and other fancy ceremonies."

I could not find much mention of oauth with servant using google search. Is it possible to use oauth with servant, are there any working examples? If not, is this just difficult or impossible? If not impossible, how can it be achieved?

Thanks,
Harendra

--



--
Alp Mestanogullari

--
Reply | Threaded
Open this post in threaded view
|

Fwd: OAuth with servant

Alp Mestanogullari
Opps, didn't hit "reply all".

---------- Forwarded message ----------
From: Alp Mestanogullari <[hidden email]>
Date: Sat, Jan 6, 2018 at 7:00 AM
Subject: Re: OAuth with servant
To: Harendra Kumar <[hidden email]>


Hello,

I'm very glad you got hmac auth working!

Regarding the suggestion for the tutorial, would you perhaps mind opening an issue (or even better, a tentative PR) with what you have in mind? The fact that you can always define your own combinators or that you can embed arbitrary WAI applications pretty much means that you can do anything. If you have any good wording for this, I'll take it! :)



On Thu, Jan 4, 2018 at 6:46 AM, Harendra Kumar <[hidden email]> wrote:
Thanks Alp for contributing this awesome piece of software to the community and for your quick and detailed response. Please see my responses inline.

On 4 January 2018 at 03:02, Alp Mestanogullari <[hidden email]> wrote:
Hello,

We currently have two solutions for auth: the one that comes with servant (https://haskell-servant.readthedocs.io/en/stable/tutorial/Authentication.html) and https://github.com/haskell-servant/servant-auth which is younger but will hopefully one day make the former stuffs obsolete. However, none of them have support for OAuth out of the box. This google search: https://www.google.fr/search?q=hmac+auth+servant&oq=hmac+auth+servant shows a package and an example for HMAC though.

https://gist.github.com/freckletonj/17eec8959718cb251f29af3645112f4a also shows some OAuth support but it only has code to be invoked in handlers, not some proper support that makes it as easy to use as other auth schemes.

Yes I did find this one after sending this email and got it working too, now I have a better idea. Definitely oauth or any kind of auth can work with servant the only point is making it as convenient as everything else in servant i.e. making it work out of the box. I think this point should be made clear in the tutorial otherwise the first time quick evaluators may think that oauth does not work with servant which is definitely not the case. I also heard from others that servant does not support oauth, which sounds like a hard limitation (even though it is not true) and immediately one can decide not to consider servant at all. 
 

It's definitely not impossible to have OAuth protection usable out of the box, it's mostly about having someone who cares enough and has enough time to make it happen. Are you that person? :)

I can already give a few hints at what needs to be done. First and foremost, you need to have some code like in the gist above to talk to some OAuth provider/server in order to authenticate and get an access token or something along those lines. Once you have that, then you just have to wire it up to the generalized auth machinery (https://haskell-servant.readthedocs.io/en/stable/tutorial/Authentication.html#generalized-authentication). The "extract dummy cookie and check against DB" step would be replaced by the discussion with the OAuth server and possibly some additional (user-supplied) check? It's pretty easy to make things like the OAuth server and some secrets/keys/etc configurable so feel free to completely ignore this aspect for now and use hardcoded values. I can show you how to make it all configurable later, if you don't figure it out on your own by then.

This also sums up pretty well what would have to be done to add OAuth support to servant-auth, a lot of code could in fact be shared between both choices, it's just the final "wiring up" that changes.

Anyway, this email is long enough already. If you're motivated, let me know, we'll make this happen if you don't mind a liiiiiittle bit of lag on my end as I'm on holiday at the moment. Feel free to already ask more specific questions.

Thanks for writing up what needs to be done, I got a good idea. If I get time from other things  or if I have to use oauth myself I will give it a try.

-harendra
 

On Wed, Jan 3, 2018 at 2:13 PM, Harendra Kumar <[hidden email]> wrote:
Hi,

I was going through the servant docs and it seems to suggest that oauth is not yet supported, a quote from the docs: "while it really fit for schemes like Basic and JWT, it wasn’t enough to fully support something like OAuth or HMAC, which have flows, roles, and other fancy ceremonies."

I could not find much mention of oauth with servant using google search. Is it possible to use oauth with servant, are there any working examples? If not, is this just difficult or impossible? If not impossible, how can it be achieved?

Thanks,
Harendra

--



--
Alp Mestanogullari




--
Alp Mestanogullari



--
Alp Mestanogullari

--