https://descope.com logo
Join Slack
Powered by
Also how do you implement code flow at the end of ...
# ask-a-descoper
r
Also how do you implement code flow at the end of a flow for sign in/up
g
what do you mean by ‘code flow’ at the end of a sign in/up flow?
r
Correct
g
not quite following.. what do you mean?
r
Auth Code flow is the process for OIDC where the backend gets a code and you exchange it for Access and ID tokens
g
oh got it - it’s OIDC related there’s actually a really good document on OIDC in Descope - https://docs.descope.com/customize/auth/oidc/ we also have some great articles around integrating with other frameworks, such as Firebase, Cognito and Auth0, and we’ve just recently released a guide on ReTool too 🙂 let me know if this was helpful to you 🙏🏼
r
The problem is you have implicit flow where you send the session token through the front end. I need to able to get a secure one through the backend
g
@orange-belgium-27264 @rapid-doctor-25622 can you please help Daniel?
o
We support both implicit (with PKCE) and explicit You use explicit in the backend with a Descope access key as the client secret
r
Hi Omer, is there a call back url in the flows I can call. Seems to only be tied to Social providers.
o
Our api is code exchange without secret We also support OIDC via standard endpoints Can you provide more context on what you're trying to do exactly? It will help us point you in the right direction
Are you using our SDK or using a standard OIDC client ?
r
standard OIDC
I have it built directly into flask (python)
I am trying to use the sign up/in widget embedded on our site using HTML.
Then when the user completes the login it should redirect the user with a code to our /callback
When it hits the callback with the code I exchange it for a token/refresh token
Then I push the token to the users cookies/session for access to the website
This will also be done using Unity on our mobile app
The trick here is I was hoping to use your Login pages and flows to manage the user experience and not have to build it all out.
My concern is man in the middle attacks with implicit flow
o
Take a look at our Django plugin on how we embed the flow in the app https://github.com/descope/django-descope/tree/main
With implicit flow you should implement PKCE to address man in the middle concerns Standard OIDC clients should be able to handle that for you
r
Yes, its ok, but code flow with PKCE is really the best and we are talking in our use case millions of dollars at stake
So any idea around implicit flow isn't great. Its ok, but not the best.
session_token = request.session.get(SESSION_COOKIE_NAME) refresh_token = request.session.get(REFRESH_SESSION_COOKIE_NAME) logger.debug("Validating (and refreshing) Descope session") try: validated_session = descope_client.validate_and_refresh_session( session_token, refresh_token )
I figured this is what you were doing, but it doesn't kill the original session token.
Is there any way to add a step in your process to send the user with a code as part of a flow
I thought I saw it in your social Sign-in flow
The rest is perfect. Any chance we can add that?
o
it doesn’t kill the original session because it still uses it, the clients hands over the session/refresh tokens to the server to manage this was done due to the fullstack nature of django, I would generally advise against sharing the refresh token and only provide your app with the session token to authorize protected resources
r
Hi Omer, so i'm stuck on getting the callback to my site from the hosted login page
Open in Slack
PreviousNext
Powered by