Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement the server-side OAuth 2.0 flow #13

Merged
merged 5 commits into from
Aug 29, 2018
Merged

Implement the server-side OAuth 2.0 flow #13

merged 5 commits into from
Aug 29, 2018

Conversation

georgeclaghorn
Copy link
Contributor

@georgeclaghorn georgeclaghorn commented Aug 28, 2018
edited
Loading

Google’s sign-in JS is convenient, but it requires end users to allow third-party cookies. Some people have third-party cookies disabled by IT mandate, and more use tracker-blocking browser extensions. Our support team at Basecamp deals with issues like these frequently.

This PR replaces the google_sign_in helper with google_sign_in_button:

<%# Before: %>
<%= google_sign_in(url: session_path) do %>
  <%= button_tag("Log in with Google") %>
<% end %>

<%# After: %>
<%= google_sign_in_button("Log in with Google", proceed_to: login_url) %>

The resulting button initiates the OAuth 2.0 authorization code flow on the server. We redirect to Google for authorization and await a callback request with an authorization code. Upon receiving the authorization code, we exchange it for an ID token, store the ID token in flash[:google_sign_in_token], and redirect to the proceed_to URL. To mitigate open redirects, proceed_to is required to reside on the same origin as the Rails app.

Before, apps needed only to configure GoogleSignIn::Identity.client_id. Now, they’ll set config.google_sign_in.client_id and config.google_sign_in.client_secret instead:

# config/initializers/google_sign_in.rb
Rails.application.configure do
  # From Rails credentials:
  config.google_sign_in.client_id = credentials.dig(:google_sign_in, :client_id)
  config.google_sign_in.client_secret = credentials.dig(:google_sign_in, :client_secret)

  # From ENV:
  config.google_sign_in.client_id = ENV['google_sign_in_client_id']
  config.google_sign_in.client_secret = ENV['google_sign_in_client_secret']
end

To-do:

  • Docs
  • Tests

@dhh
Copy link
Member

dhh commented Aug 28, 2018

What a lovely level-up. Much nicer flow for the user, even when they do allow 3rd party cookies 👍

@georgeclaghorn georgeclaghorn force-pushed the server-side-flow branch 2 times, most recently from 871508b to 136713d Compare August 28, 2018 18:12
@georgeclaghorn georgeclaghorn merged commit 13dafac into master Aug 29, 2018
@georgeclaghorn georgeclaghorn deleted the server-side-flow branch August 29, 2018 16:51
@norydev
Copy link
Contributor

norydev commented Sep 28, 2018

Some people have third-party cookies disabled by IT mandate, and more use tracker-blocking browser extensions. Our support team at Basecamp deals with issues like these frequently.

I'm one of the people who had issues connecting to basecamp because of tracker-blocking and had to contact support, so thanks a lot for this upgrade 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@georgeclaghorn @dhh @norydev