How to handle oauth authentication | NestJS | Page 1

bright night Oct 26, 2022, 1:01 PM

#

I'm trying to implement an authentication through twitch's oauth the more I'm reading their documentation, the more I'm wondering if the authentication really has to be on the server side? https://dev.twitch.tv/docs/authentication/getting-tokens-oauth
How I wanna proceed:

Ask the user to authenticate through twitch
To send the user's informations (id, login, display_name) to the backend, when connecting to a websocket server (to keep it in a behavior subject only for the duration of a game)
When the user sends an event to the ws server, I wanna recognise him with these informations (probably mostly his id)
=> I'd also like to use the user's access_token / refresh_token to "refresh" his session (if needed?? not sure about this)

Twitch Developers

Getting OAuth Access Tokens

bright night Oct 26, 2022, 7:48 PM

#

Nobody can help on it? 😢

grave spindle Oct 26, 2022, 10:32 PM

#

Does PassportJS not have a strategy for it?

bright night Oct 27, 2022, 5:00 AM

#

To be frank, I do not know passeport js at all

#

i indeed have a Twitch strategy from passportjs but I simply have a validate method for it! It works with express sessions, but I’m not sure this is What I’m looking for

#

Moreover there would be many users connected at once on the app and I read that sessions weren’t good for scaling and that tokens sent to the front were better for that

grizzled blade Oct 27, 2022, 2:49 PM

#

I read that sessions weren’t good for scaling
The scale that people are talking about for this is upper tens to hundreds of thousands or more people using the application at the same time, just FYI

#

Generally, OAuth flow is something like

Send client to OAuth portal with application specific id and maybe secret
Client logs in with identity provider
Identity provider verifies client
Identity provider calls back to your server with access token and refresh token
Your server can now call identity provider's identification endpoint (usually something like /me or /profile) with access token
Identity provider provides data allowed via access token
Your servers saves basic user info in database and hands back authorization token to client (session, jwt, what have you)

bright night Oct 27, 2022, 11:20 PM

#

Oh okay! Thanks for the information! That should indeed be enough for me hahaha!

#

Okay I think I got it! I actually already have the redirection to the oauth service with the access / refresh token and user infos! The only thing I don’t really unserstand is how I could use these informations to authenticate my WS events! And to do so, I don’t see any other option than passing these tokens to the client but I don’t see how!

grizzled blade Oct 28, 2022, 7:13 AM

#

bright night Okay I think I got it! I actually already have the redirection to the oauth serv...

I wouldn't use the access or refresh token for your system authentication. Rather, you should verify the user information with your oauth provider and hand back a session token or a jwt and do authentication with that, as it's a token you control within your own system

bright night Oct 28, 2022, 7:27 AM

#

Okay I see! And about a session token, is it with the express-session package that you do that? Because I did it but couldnt find it anywhere on my client!

grizzled blade Oct 28, 2022, 7:29 AM

#

All depends how you manage your sessions. Also note that express middleware might not be perfectly compatible with websockets

bright night Oct 28, 2022, 7:29 AM

#

Okay! And would jwt better then?

grizzled blade Oct 28, 2022, 7:31 AM

#

Can't say. Better is very relative and you know your system better than me

bright night Oct 28, 2022, 7:32 AM

#

Yeah sure! I need to try with a jwt then

#How to handle oauth authentication