Reference

Reference OAuth

OAuth

OtherEvergreenPublic

OAuth is an open protocol which allows users to log into your service with an account that they already have with a third party provider (e.g. Google, Github, Twitter etc.). The benefit is that the user doesn't need to maintain a separate set of credentials for each app or web service that they interact with, they can just "log in with Google". The protocol depends on grants and tokens and works by issuing access tokens to the third-party client with the approval of the resource owner.

Read more...

Components

  • Profile
  • App
  • Auth

OAuth is an open protocol which allows users to log into your service with an account that they already have with a third party provider (e.g. Google, Github, Twitter etc.). The benefit is that the user doesn't need to maintain a separate set of credentials for each app or web service that they interact with, they can just "log in with Google". The protocol depends on grants and tokens and works by issuing access tokens to the third-party client with the approval of the resource owner.

Read more...

![[oauth flow.png]]Figure 1 : OAuth-based authentication between a User and a [[Supabase]] based web app. 'Gotrue tenant' refers to the Supabase Auth server.

1. Request a user's GitHub identity

GET https://github.com/login/oauth/authorize

When your GitHub App specifies a login parameter, it prompts users with a specific account they can use for signing in and authorizing your app.

Parameters

NameTypeDescription
client_idstringRequired. The client ID you received from GitHub when you registered.
redirect_uristringThe URL in your application where users will be sent after authorization. See details below about redirect urls.
loginstringSuggests a specific account to use for signing in and authorizing the app.
scopestringA space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope.
statestringAn unguessable random string. It is used to protect against cross-site request forgery attacks.
allow_signupstringWhether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is true. Use false when a policy prohibits signups.

2. Users are redirected back to your site by GitHub

If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. The temporary code will expire after 10 minutes. If the states don't match, then a third party created the request, and you should abort the process.

Exchange this code for an access token:

POST https://github.com/login/oauth/access_token

Parameters*

Name

Type

Description

client_id

string

Required. The client ID you received from GitHub for your OAuth App.

client_secret

string

Required. The client secret you received from GitHub for your OAuth App.

code

string

Required. The code you received as a response to Step 1.

redirect_uri

string

The URL in your application where users are sent after authorization.

Response

By default, the response takes the following form:

access_token=gho_16C7e42F292c6912E7710c838347Ae178B4a&scope=repo%2Cgist&token_type=bearer

You can also receive the response in different formats if you provide the format in the Accept header. For example, Accept: application/json or Accept: application/xml:

Accept: application/json
{
  "access_token":"gho_16C7e42F292c6912E7710c838347Ae178B4a",
  "scope":"repo,gist",
  "token_type":"bearer"
}

Accept: application/xml
<OAuth>
  <token_type>bearer</token_type>
  <scope>repo,gist</scope>
  <access_token>gho_16C7e42F292c6912E7710c838347Ae178B4a</access_token>
</OAuth>

s

  1. Use the access token to access the API

The access token allows you to make requests to the API on a behalf of a user.

Authorization: token OAUTH-TOKEN
GET https://api.github.com/user

For example, in curl you can set the Authorization header like this:

curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/user