Firebase - Custom oAuth2 service - Authorization code?

Question

There is an app that wants to authenticate with my users using oAuth2.

So they open a window, with the authorize URL, and parameters (such as redirect uri)

Like: https://my-website.com/api/authLauncherauthorize?redirect=SOME_URI

Now I have my own firebase-login, and when the user logs in, I get their access token from firebase. Which is what I want to respond with.

However, in oAuth2 guides/explanations like https://aaronparecki.com/oauth-2-simplified/ I see I am supposed to return an authorization code, and I don't understand where can I get that from?

What I can do, is generate a bullshit code, pair it in the DB to the access token, and then in the "token" request, send the correct access token. Is that what I am supposed to do?

Just to be clear, this is my first time writing an oAuth2 service myself.

Answer 1

OAuth is a system that provides authenticated access to resources. This resource can be for example a user page or editing rights to that user page. So your goal is to provide access to permissions to the right people.

When someone logs in, they get a token. Your part is to generate that token however you want, may it be some form of userdata into base64 or completely random. Take this token and link it against permissions, like viewing a page, editing it or even simpler things like viewing the email of a user.

OAuth2 tokens and/or permissions should be revokable without deleting a user. You should not use OAuth2 to identify someone.

If I am understanding your question correctly:

1. User visits some website
2. User wants to register or login using your websites OAuth2
3. You redirect back to the original page and send your generated token
4. The page can access content on your site with this token

Answer 2

Assuming you are the Host Site, given a User who wants to connect a 3rd party application, then the flow would be like this:

• User lands on site - Clicks Login with Github

• User is redirected to Github site where they login and click "Authorize"

• Github redirects user back to your site /authorize with an auth token.

• Your site then passes that token back to the 3rd party API (github in this case) in exchange for an access token and refresh token.

• You can then pass that Authorization token to an API endpoint to get details about it. If the token expires, you can use the refresh token to get a new Auth token. Both Tokens should be stored in your database for your user.

However writing that all out I realize you are asking how do you generate the Authorization token, so I'm guessing you're actually the 3rd party API in this example. So you would want to generate an Authorization token using a random generator. Since you are using firebase, you'll probably wanna try out their token generator: https://github.com/firebase/firebase-token-generator-node

There's also some more up-to-date info here I believe: https://firebase.google.com/docs/auth/admin/#create_a_custom_token

And like you said, you would store that in a database associated with the user, and then when the Host Site sends that user's auth token to your server, you exchange it for the Authorization token (and refresh token if requested).

It's also worth reading through how google does it, because you'd be doing something similar: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken

JWT is another option of generating tokens: https://jwt.io/