Login/Register
Using OAuth for both development and production environments
Asked Answered
oauthtwitter-oauthgoogle-oauthfacebook-oauth
P

3

13

I have seen other questions on SO about this (here, here, and here), but I am not satisfied with any of the solutions, so I am asking it again. I am starting a web application that will utilize OAuth from multiple providers (Google, Facebook, Twitter, Yahoo) for authentication. I am struggling to find a configuration suitable to use for both a local development environment and a production environment.

The leading solutions I've found are to register multiple apps within each provider, receiving a different consumer key and secret for each:

"My App Production" - with a callback URI to http://www.myapp.com/callback

"My App Development" - with a callback URI to http://local.myapp.com/callback

Add an entry to your local hosts file to point local.myapp.com to 127.0.0.1 and some configuration for your application to use the proper consumer keys based on the environment, and you are good to go, right?

But my application is responsive and I need to test my development environment running on my PC from multiple other devices, like my iPhone and iPad, neither of which will be able to resolve the development callback URI.

Let's say I already have a DNS server on my network and am able to add the entry for local.myapp.com there instead of my local hosts file and can now access my development instance from any device on the network.

But my development team all operates on the same local network. Now local.myapp.com points to the same IP for everyone. Let's go back to setting the hosts file on each developer's computer so that they can all work independently from within their workstation. Now no one can test their development instance from their iPhone again. It hardly seems like the right answer for each developer to register an application with the provider just so they can specify a unique callback URI.

Normally when I get way down in the weeds with a complicated solution for a seemingly straightforward issue, it usually means I'm doing something fundamentally wrong. Am I missing something about OAuth, is it not intended to be used like this? I am tempted to scrap OAuth altogether and just go with OpenID (no app registration required and can specify the callback URI from within the app), but then I lose two of the big hitters in Facebook and Twitter. I don't really need any of the user's data, it's just a nice to have if it's available. Can someone talk me back into OAuth?

Packhorse answered 27/11, 2013 at 3:46 Comment(4)
Is just for testing right? Why not have each web app as a virtual directory?Suiter
I don't really follow what you are getting at. Can you elaborate?Packhorse
Did you ever find a solution? I'm struggling with the exact same thing; the oauth providers don't allow wildcards in the origin so I can't have alice.dev.myapp.com and bob.dev.myapp.com but if all developers share dev.myapp.com I don't know how to point the tablets and phones at the correct developer. Creating a oauth entry point per developer seems to be the only way.Obelize
I've added my manual solution below. But I'm curious to hear if you've found a better way.Obelize
T
1

I can't speak for FB or Twitter, but in Google's Oauth implementation you can register several oauth callback URLs. So you simply need some logic in your app which senses that it is in test mode, and then starts the Oauth flow with the appropriate callback URL. There are downsides, eg clashes between the live and the test refresh tokens, but they are manageable.

In my app I have a singleton which manages all of this. When my app needs to start an Oauth flow it calls the singleton with the request URL and any other salient data (eg. debug flag) and the singleton returns the correct callback URL, client ID etc.

Tarim answered 28/11, 2013 at 4:24 Comment(2)
Sure, I can handle the logic to know if it's production or development and use the right consumer key/secret. But what about testing from my iPhone in dev with a callback uri that my iPhone can't resolve? I need to test from mobile devices in development.Packhorse
So this is a DNS issue? Use something like AWS Route 55 and register your dev server there so it resolves publicly. Can iPhone be configured to use a proxy server? if so, maybe you could also solve your problem with some proxy routing rules. If It helps, I'll happily set up a dev server as a subdomain on one of the domains I manage.Tarim
K
0

I posted the following answer about a rails app I wrote:

OAuth2 in development and production

It was a gem called figaro which did per env configs for google OAuth2.

Kindly answered 27/11, 2013 at 23:8 Comment(1)
That just looks like a fancy tool for managing properties files. What about testing my application running on my PC from my iPhone when the OAuth callback goes to local.myapp.com?Packhorse
O
0

I have yet to find a less manual approach that enables dev access to all concerned devices:

  1. Assign each developer's machine a fixed IP through the local network's DHCP system based on their MAC address, or (less recommended) have them choose an IP and hope for the best
  2. (optional*) Assign each developer's machine a DNS hostname in the local network based on that IP
  3. Register an oauth entry for developer on each provider with the hostname of the developer's machine.
  4. Each developer configures their application to use their unique oauth dev tokens.

Assuming all the devices in the network rely on the same DHCP and DNS servers you'll then be able to visit alice.dev.myapp.com or bob.dev.myapp.com from any device on the network.

Note, you'd manage the oauth configuration for each an every other environment separately, but following the same approach.

There are likely tools to automate registering a developer's machine IP and hostname to ease that part of the puzzle. Registering the oauth config on each provider per dev is the most tedious step.

UPDATE

*You can skip the DNS part if you use a xip.io url e.g. 10.0.0.123.xip.io if you know Alice is 10.0.0.123, but you'd still want that IP to be fixed as you don't want to keep updating the url for the oauth tokens in step 4.

Obelize answered 19/11, 2014 at 23:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.