https://www.prisma.io/ logo
Join Slack
Powered by
Hello, is there anyway to call graphcool’s `genera...
# prisma-whats-new
p
Hello, is there anyway to call graphcool’s 
generateAuthToken
from outside of a Graphcool function? I would like to use Auth0's Credentials Exchange (https://auth0.com/docs/hooks/extensibility-points/credentials-exchange) to actually embed the Graphcool token into the access token returned.
a
I actually implemented that using an Auth0 rule. You can find the PR here: https://github.com/graphcool-examples/functions/pull/77
Client Credentials Exchange only happens for non-interactive clients. The hook will not fire for interactive client login.
p
Ohhhh, thanks for that piece of information! Let me look at your pull request then.
You do confirm that this would allow for the SPA to not need to call the Schema Extension to authenticate anymore, but rather depend on Auth0 only?
I mean, this is what I’m trying to do really: use Auth0 to authenticate the user and get Graphcool’s token directly, to use it later with my GraphQL requests.
Yup, just read it on your pull request
👍🏻 1
a
That's exactly what my PR does. You use the normal Auth0 lock / Auth0.js / auth0-react-native way to login using Auth0, and the Rule automatically sets the Graphcool token as claim inside the Auth0 id_token
p
😍
a
Doesn't require any custom code in Graphcool 😄
p
I must start a fund for all those examples that make us write less code lol
a
I'll add a donate button to the readme 😄
😛 1
The only thing I don't like about the PR, is the way you have to put the PAT into three seperate meta keys
If you only use it for projects in your own Graphcool account, you could workaround this by putting your client PAT hardcoded in the Rule.
p
Yup, I noticed
Also, I would add another modification (unless I misunderstood): if the user exists on Graphcool, but has signed in differently before (for example using Email instead of Facebook) then I wouldn’t re-create the user.
So I believe I would check the user email as well as their ID on Graphcool.
a
Yes, this follows the other auth0 example, where the only check is using id of the selected auth provider
👍 1
I would like to enhance that to create an identities type under User
Then check by e-mail, and add an Identity node for the User
However, not all Auth0 authentication methods use e-mail
p
I see, so you would then check the list of identities instead?
Oh no, ok, I see what you mean. Yes indeed, Facebook does not return the email sometimes for instance.
a
Well, it only does when you ask for that permission. And then you need to deal with situations where the user denies that permission
Because you can't make it required...
So it requires a lot more boilerplate code
p
I’ve had a case where the user consents, but because their email was not verified on Facebook, it did not come back anyways
So no error and no email!
But one would have to bite the bullet and establish a list of “identifying” information. I believe email and mobile phone may cover most cases.
a
Ah, good to know 🙂
Well... I would do it differently. You either sign up, using any provider, and that always creates a new user
Or you login in first, and then have an option in the UI to LINK another provider
So at that point, I'm 100% user which existing user it is
I actually hate the combined sign up/sign in.
p
Surely, of course not all users are that organised. I did have cases where users wonder where their information went because they were unaware that they sometimes signed in with FB and sometimes with Google. They ignored the linking UI of course. Real example!
But yes, in principle I agree with you. I just seek automation when possible to avoid making the user “think”
👍🏻 1
a
Auth0 advice: if you want to uniquely identify users by email, only activate providers that require email validation, so you're sure you always have it.
Anyways, if I have time (or better: if you have time), it would be nice to get a PR that checks for existing user by email 👼🏻
p
I’m working on modifying the rule in your PR today. When it gets approved, I’ll do another PR on it 🙂
By the way the way I work around the Facebook issue is to explicitly as the user for their email when it’s their very first time they sign in using Facebook.
👍🏻 1
I also have a rule to add that claim to my token: number of logins
Copy code
function (user, context, callback) {
  var namespace = '<http://example.org/>';
  context.idToken[namespace + 'logins_count'] = context.stats.loginsCount;
  if (user.app_metadata) {
    context.idToken[namespace + 'role'] = user.app_metadata.role;
  }
 callback(null, user, context);
}
a
Well, all Rules are applied, so that wouldn't interfere with each other
👍 1
You can also submit a PR to my repo if you want, just add it as an alternative rule function.
p
Alright!
There is no requirement to use a Regular Web App client by the way, no?
I mean, an SPA client on Auth0 would also work
a
Nope
Yep
p
😄
Open in Slack
PreviousNext
Powered by