Skip to content

WIP: (feat): Minds OAuth Clients #1620

Adam Watson requested to merge (removed):feat/oauth-clients-1620 into master

Closes issue #1620 (closed).

Video demo: https://www.loom.com/share/212cf9bf33c84e85ab2307ef6f2915a7

Import the following Postman collection to try the API calls in the video.

https://drive.google.com/file/d/14Iv6rN4ruVEMOqmXrodMH4Uv6ltRMkzY/view?usp=sharing

Summary of OAuth flow

  1. Third party developer makes a new client in Minds settings. Receives client id and secret.

  2. Third party website has a special link to minds.com. User clicks that link. Page asks if user wants to connect this app. User clicks "allow".

  3. Redirect the user back to the third party website. Third party website grabs code from the url parameter.

  4. Third party website sends that code and the client secret to Minds. Minds returns an access token. Third party website can now act on behalf of that user on Minds. Example: third party website can post to the user's Minds newsfeed.

Notes

  • the Cassandra database will need a new table called oauth_clients. The code to create it is in engine/Core/Provisioner/Provisioners/cassandra-provision.cql

  • the authorization screen still needs to be created. It's the screen where Minds asks the user for permission for the app to connect.

  • for now, the apps will have full api access to the user's account. We'll need to use middleware to allow/disallow certain endpoints based on the client_id the user's access token is from.

  • the Postman examples use the Authorization header for convenience. Normally the cookies from the browser would be used instead for most of the cases in that collection.

Scopes solution

The best solution would be to make separate routes for third party api request. Example: /api/v2/third-party/newsfeed. These third-party routes would use a new middleware to verify the access token and client id. This means existing routes would not need to query the oauth_clients table, which would slow down every request from the website and mobile app.

We'd need to add code to Core/Router/Middleware/Kernel/OauthMiddleware.php to get the client id and scopes based on the access token in the request.

Edited by Adam Watson

Merge request reports