Hello, I realize this is kind of a mixed-up topics question, but I think I will ask anyway, hopefully I get useful feedbacks
This is an architecture question. I have an API service built using Phoenix. Among others, it will handle user registration, but to ease the adoption I’m intending to only open registration using social media accounts (right now only Google, possibly with Facebook in the future); all the OAuth basic stuff and I will save the authenticated user’s name and email to my DB. I am not accessing other Google or other services, only for authentication.
The OAuth authentication process will be initiated by the client, a chrome extension (basically a single page JS app). My question is: how should the client handle this? I have two approaches in mind:
Approach 1: Directly to Google
On clicking the sign-in with Google button, the client will authenticate directly to Google OAuth using the
chrome.identity API. It will receive access_token on the redirect url, and it will post the token to the API’s
/auth endpoint. The API will then validate using the
tokeninfo Google endpoint, and if the token is valid, insert the data from
tokeninfo to DB, and then returning
Phoenix.Token to client for further requests.
Approach 2: Using Ueberauth
On clicking the sign-in with Google button, the client will open up a new window to a route in my Phoenix app for handling OAuth using Ueberauth. The route will then process all the authentication, callback, inserting to database, generate token and returning the
Phoenix.Token back to the extension via message passing. It seems possible, but I haven’t tried it yet.
Any thoughts? Particularly on the security point-of-view. I see approach 2 will help me if I wanted to add Facebook login in the future, but I don’t know if it’s doable or secure. Thanks!