This presentation describes best practices and considerations when using OAuth2 with native applications, and how best practices can be implemented with node in Electron and NW.js.
8. Some More About the Redirect
GET /oauth?code=<auth code> HTTP/1.1
Host: www.jeffstestapp.com
Request from redirected browser
POST /oauth/v2/accessToken HTTP/1.1
Host: www.linkedin.com
Content-Type:
application/x-www-form-urlencoded
grant_type=authorization_code&
code=<auth code>&
client_id=<app client id>&
client_secret=<client secret>&
redirect_uri=<redirect uri>
Jeff’s Test App exchanges auth
code for access token
9. Make Requests
GET /me HTTP/1.1
Host: api.linkedin.com
Authorization: Bearer <Access Token>
GET request made by Jeff’s Test App to
LinkedIn for profile data
15. Best Practice 2: Getting Context from the System Browser
• Use the redirect
• Custom protocol handler
• Listen locally
Example Redirect URIs
Custom protocol handler:
linkedIn://oauth?code=<auth code>
Listen locally:
http://localhost:1234?code=<auth code>
16. Best Practice 3: Use PKCE
• Alternative to secrets
• Randomly generated code
• Since secrets are out, no refresh tokens
17. Demo
• Native desktop app (Qt/PyQt)
• Opens system browser
• Spawns Node, listens on port
1234
• Node performs auth code
exchange for access token
Jeff’s Test App
Node Server
Listens Locally
Returns
token
Redirect with Auth
Code
18. Code
const requestHandler = (req, response) => {
let queryString = qs.parse(url.parse(req.url).query)
if (queryString.code) {
let authCode = queryString.code
let oauth2Url = 'https://www.linkedin.com/oauth/v2/accessToken'
let form = {
"grant_type": "authorization_code",
"code" : authCode,
"client_id": config.app.key,
"code_verifier": generated_code,
"redirect_uri": "http://localhost:1234"
}
request.post({url:oauth2Url, form:form}, (err, httpResponse, body) => {
if (err) {
console.log(err)
}
console.log(JSON.parse(body).access_token)
process.exit(0)
})
}
response.end('Received auth code.')
}
const server = http.createServer(requestHandler)
19. Lessons Learned
• Don’t spawn a child process
• Use whatever tools are at your disposal in your native
application (leverage Node in Electron, NW.js, for example)
20. Further Reading
• RFC 8252 -- OAuth 2.0 for Native Apps
https://tools.ietf.org/html/rfc8252
• RFC 7636 -- Proof Key for Code Exchange
https://tools.ietf.org/html/rfc7636