I am trying to setup pow, pow-assent and ex_oauth2_provider to fulfill the following scenario.
- Users should be able to register and login with username/password or social login.
- They will use a native app to interact with our API
- Other services should be able to use our API in the user context after authorization
I already setup Pow and Pow-Assent, login etc working fine. Also I can use the authorization code aquired through the web interface and exchange it for an access token through the Oauth provider. So basically what is deschribed in this blog post works fine: Phoenix: Build a full-fledged API in five minutes | Dream Conception
What does not work - and I running against a wall here - is: how can I bring social-login and the Oauth provider together following what is described here: How to use PowAssent in an API — PowAssent v0.4.10
What I am trying to achieve is, that a user can login via social and afterwards use the API with an access token issued by the Oauth provider.
At the moment the only way I see to do this is
- to get consent from the social provider
- create an authenticated session with pow
- get an authorization code
- and use this to get consent from the ex_oauth2_provider (code)
- and exchange the code again for an access token.
As far as my understanding of Oauth goes, this is the indented use but from a UX perspective this seems to be very bad.
My gut tells me I am overlooking something and there should be an easier solution. Has anyone done this already and can hint me in the right direction? Any help is much appreciated!