Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPDS Authentication - opds://authorize/ is not a valid value on Google #75

Open
gotson opened this issue Mar 15, 2024 · 5 comments
Open

Comments

@gotson
Copy link

gotson commented Mar 15, 2024

When trying to add opds://authorize/ for a Google OAuth2 client, this is not valid:

image
@HadrienGardeur
Copy link
Member

Hello @gotson,

I'm not surprised that this is rejected by Google as it's clearly not as secure as what they would typically expect.
Although Google mentions URIs in this screenshot, my guess is that they only expect URLs to be documented in this field.

What's your use case for using Google as an OAuth provider here?

@gotson
Copy link
Author

gotson commented Mar 18, 2024

What's your use case for using Google as an OAuth provider here?

Social login.

@HadrienGardeur
Copy link
Member

For social login, you usually want to log into another service using Google and Apple these days.

If your service is example.com, you could set up Google and Apple specific redirect URIs such as example.com/callback/google and example.com/callback/apple.

Once Google or Apple have returned their respective Access or Refresh tokens, your service can authenticate the user and then return an Access Token through the OPDS callback.

@gotson
Copy link
Author

gotson commented Apr 19, 2024

If your service is example.com, you could set up Google and Apple specific redirect URIs such as example.com/callback/google and example.com/callback/apple.

Once Google or Apple have returned their respective Access or Refresh tokens, your service can authenticate the user and then return an Access Token through the OPDS callback.

What you are referring to is that the OPDS server should also act as an OAuth2 Authorization server in a sense, in addition to being a Resource Owner.

There are existing pass through to Oauth2, for instance Komga uses OAuth2 login provided by Spring Security, where the redirect is driven by the server, but once the authentication is done, there is no need to return an Access Token. Instead, a classic session ID is returned via cookies.

Implementing the Authorization Server part is constraining.

@HadrienGardeur
Copy link
Member

What you are referring to is that the OPDS server should also act as an OAuth2 Authorization server in a sense, in addition to being a Resource Owner.

Yes, that's what the Authentication for OPDS draft was designed for. It's mostly used by public and academic libraries right now, where the user is a library patron and uses a library card to authenticate.

Instead, a classic session ID is returned via cookies.

Some catalogs return a session using cookies as well, but ideally you want to have a:

  • long lived Refresh Token that you can use only once (using the Refresh Token issues a new one)
  • and a short lived Access Token

This is optimal for avoiding attacks where one of these tokens is intercepted and re-injected back.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants