I want to build three example apps. One will be a sinatra oauth2 provider and second will be rails app with angular.js on frontend and rails on backend and third with sinatra on backend and angular.js on frontend.
Our Rails/Sinatra app will be authenticate users using satelizer and our custom provider.
These is our Oauth2 workflow right now.
- Using Satellizer we get the authorization code from provider. We send this code to our backend.
- In backend using this authorization code, secret key and other params, we send an request to provider to get an access token.
- Using this obtain access token we call
'/me'
action to get an uid, email and other user attributes from provider. - In the same action we parse the response body and we find or create user based on uid.
- We are wondering about this step which should somehow set the user's authentication token.
- store the provider access token in user database record.
- generate new authentication token and change it on every request
- Generate JWToken with user uid and token and send it back to satellizer.
- Then on each request Satellizer include Bearer JWToken in header. After recive request our backend verify header token stored in database and call sing_in method in our case
devise(sign_in, store: false)
maybe in sinatra app we will use warden.
What do you think about this concept? Maybe we are missing something. These is our first oauth2 authentication implementation and we are worried about it.