https://www.prisma.io/ logo
Join Slack
Powered by
With authentication on the way (ETA?), does it mak...
# prisma-whats-new
m
With authentication on the way (ETA?), does it make sense to implement a custom process (such as this one: https://github.com/graphcool/feature-requests/issues/39#issuecomment-308641399), or should we wait for the full authentication to be released?
d
@martin Is this for custom authentication rather than using Auth0? I'm new to to webdev and assumed Auth0 handled email verification
m
Yeah. I tried Auth0 and chose to go the custom authentication route.
t
This is the only stopper for me too, we can't use Auth0 for a couple of reasons and need to use an existing system for user authentication.
d
Thanks martin. Can you link me to the roadmap/article regarding a built in graphcool authentication service?
t
@dk0r I think he was possibly referring to this https://github.com/graphcool/feature-requests/issues/88
d
hmm. Just wondering, what limitations/use-cases are requiring you guys to roll your own authentication and not use Auth0 ?
t
So here is my situation, the company I work for has a website (e-commerce) with user accounts. The existing website has OAuth 2 which is great.
In the mobile app, users can enter their website credentials to receive an access token, I want to be able to send that access token to GraphCool to authenticate them.
(Graphcool could forward do a quick check with our website to confirm it is valid and send back an access token for the graphcool system)
Auth0 did look like a viable solution, as you could add a custom auth provider (our website) and then get an auth0 token for the user by supplying their access_token for the ecommerce website, but they have removed this particular flow
(Auth0 would attempt to get the user profile using the website access)token and if it succeeded the client would be returned an Auth0 token)
Sorry for the wall of text!
d
no need for apologies, I appreciate the explanation --I'm new to the scene and it's great info for me.
t
It's also nice for me to vent a little 😛 I need to kick off this project imminently and none of the platform as a service providers seem to support my use case 😰
d
1) are you certain Auth0 simply killed off the custom auth flow you need w/out providing any alternative to customers dependent on the feature?
2) What's the reason you cannot do a rewrite to Auth0?
t
They deprecated it a few weeks ago, they recommend using the Authentication Code Exchange flow, but this requires using an in-app-browser the users need to use for login
Auth0 then take the code and exchange it for an access_token on their end
But the mobile app need the access token too, as it needs to call the ecommerce platform for a few things
(Not to mention Auth0 is expensive)
I'm not sure I understand "rewrite to Auth0"?
d
1) I assume you're supporting older android api's that don't include in app browsers?
2) By rewrite, I mean.. just simply convert to Auth0 rather than maintaining your own auth service
t
^ Hard requirement for native sign-in UI
d
is that a hard requirement on iOS only?
t
Both platforms
d
I mean, isn't that how social auth works? via an in-app browser?
t
It's not going to be possible to move all authentication to Auth0 sadly!
d
hmm
is that a design constraint, or?
t
There is a social oauth flow called "Resource Owner Credentials" where you can exchange username+password for an access token directly, used when the client can be trusted with credentials (ie: first party app)
yes, it is a design constraint
d
btw, the OP here from martin seems to indicate there's an 
ETA
but I did not detect any sense of immediacy from the comments @ https://github.com/graphcool/feature-requests/issues/88
I see, and a first party app would be something like the facebook/twitter apps?
t
Yup!
d
@tomhut ...so
what are you going to do?!
seems like you have no viable options?
t
Sulk
d
Well, let me know if you get any ideas --interested to know how this progresses for you
t
I will do, the only thing I can think of is to write a function that gets called before the login mutation, makes a call to the e-commerce website to verify and then edits the password to a generic value for all users
It's a 'hack' but it may work
😬 1
(this would be built ontop of the graphcool username+password system)
a
Would anonymous authentication (e.g.: using a secret token) work for your use case?
Because that's supported in Graphcool
t
@agartha Would that support access controls on a user level basis? ie: users can only delete objects they own
Or are all users anonymous
a
Yes, it's authentication, so you end up with a user in GC
only you authenticate based on a secret
t
@agartha Is there any way to write a function on graph.cool when the user logs in using anonymous auth so I can verify the token?
a
That's the built in mutation that comes with it.
It works like this: you store the secret somewhere, then the authentication mutation authenticates against that stored secret for the user
And I'm working on a Facebook Account Kit example based on the same anonymous authentication integration
It's good to know that the 
USER CREATE
function hook fires nicely for the authenticate mutation
So you can get your user data from the external system there
t
Interesting! Apologies for the delay in my response - reading up on it!
👍🏻 1
a
No worries! Take your time, it took me 30 mins to respond 🙂
t
The only issue I can foresee is if I use the access_token from the ecommerce platform as the secret, if they login on a new device the access_token will change
And they will be assigned a new graph.cool user
a
Well, if you know about that event, can you update the secret from your ecommerce platform?
Open in Slack
PreviousNext
Powered by