Hello, I realize this is kind of a mixed-up topics question, but I think I will ask anyway, hopefully I get useful feedbacks
This is an architecture question. I have an API service built using Phoenix. Among others, it will handle user registration, but to ease the adoption I’m intending to only open registration using social media accounts (right now only Google, possibly with Facebook in the future); all the OAuth basic stuff and I will save the authenticated user’s name and email to my DB. I am not accessing other Google or other services, only for authentication.
The OAuth authentication process will be initiated by the client, a chrome extension (basically a single page JS app). My question is: how should the client handle this? I have two approaches in mind:
Approach 1: Directly to Google
On clicking the sign-in with Google button, the client will authenticate directly to Google OAuth using the chrome.identity
API. It will receive access_token on the redirect url, and it will post the token to the API’s /auth
endpoint. The API will then validate using the tokeninfo
Google endpoint, and if the token is valid, insert the data from tokeninfo
to DB, and then returning Phoenix.Token
to client for further requests.
Approach 2: Using Ueberauth
On clicking the sign-in with Google button, the client will open up a new window to a route in my Phoenix app for handling OAuth using Ueberauth. The route will then process all the authentication, callback, inserting to database, generate token and returning the Phoenix.Token
back to the extension via message passing. It seems possible, but I haven’t tried it yet.
Any thoughts? Particularly on the security point-of-view. I see approach 2 will help me if I wanted to add Facebook login in the future, but I don’t know if it’s doable or secure. Thanks!