Using OAuth for both development and production environments

后端 未结 3 1110
孤街浪徒
孤街浪徒 2021-02-14 07:20

I have seen other questions on SO about this (here, here, and here), but I am not satisfied with any of the solutions, so I am asking it again. I am starting a web application t

相关标签:
3条回答
  • 2021-02-14 07:40

    I can't speak for FB or Twitter, but in Google's Oauth implementation you can register several oauth callback URLs. So you simply need some logic in your app which senses that it is in test mode, and then starts the Oauth flow with the appropriate callback URL. There are downsides, eg clashes between the live and the test refresh tokens, but they are manageable.

    In my app I have a singleton which manages all of this. When my app needs to start an Oauth flow it calls the singleton with the request URL and any other salient data (eg. debug flag) and the singleton returns the correct callback URL, client ID etc.

    0 讨论(0)
  • 2021-02-14 07:43

    I have yet to find a less manual approach that enables dev access to all concerned devices:

    1. Assign each developer's machine a fixed IP through the local network's DHCP system based on their MAC address, or (less recommended) have them choose an IP and hope for the best
    2. (optional*) Assign each developer's machine a DNS hostname in the local network based on that IP
    3. Register an oauth entry for developer on each provider with the hostname of the developer's machine.
    4. Each developer configures their application to use their unique oauth dev tokens.

    Assuming all the devices in the network rely on the same DHCP and DNS servers you'll then be able to visit alice.dev.myapp.com or bob.dev.myapp.com from any device on the network.

    Note, you'd manage the oauth configuration for each an every other environment separately, but following the same approach.

    There are likely tools to automate registering a developer's machine IP and hostname to ease that part of the puzzle. Registering the oauth config on each provider per dev is the most tedious step.

    UPDATE

    *You can skip the DNS part if you use a xip.io url e.g. 10.0.0.123.xip.io if you know Alice is 10.0.0.123, but you'd still want that IP to be fixed as you don't want to keep updating the url for the oauth tokens in step 4.

    0 讨论(0)
  • 2021-02-14 07:48

    I posted the following answer about a rails app I wrote:

    OAuth2 in development and production

    It was a gem called figaro which did per env configs for google OAuth2.

    0 讨论(0)
提交回复
热议问题