Skip to content

PRO-8013: comprehensive solution to support atypical passport strategies #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
boutell merged 13 commits into from
Jul 7, 2025
Merged

PRO-8013: comprehensive solution to support atypical passport strategies #31

boutell merged 13 commits into from
Jul 7, 2025

Conversation

@boutell
Copy link
Member

@boutell boutell commented Jul 3, 2025

This has been tested:

  • For the new use case. See:

apostrophecms/starter-kit-assembly-essentials#130

  • For existing, more typical use cases, to ensure no regression. See:

apostrophecms/starter-kit-essentials#75

@boutell boutell requested a review from haroun July 3, 2025 19:23
@linear
Copy link

linear bot commented Jul 3, 2025

PRO-8013 Gryphtech unable to unable to get the login to work correctly even after trying to implement OIDC for SSO following the reference

boutell
boutell commented Jul 3, 2025
View reviewed changes
README.md
### Working with passport strategies that expect different arguments to the `verify` callback

All passport strategies expect us to provide a `verify` callback. By default, `@apostrophecms/passport-bridge` passes its `findOrCreateUser` function as the `verify` callback, which works for many strategies including `passport-oauth2`, `passport-github2` and `passport-gitlab2`. For other strategies, you can pass an explicit `verify` option which will remap the strategy `verify` method with `@apostrophecms/passport-bridge` `findOrCreateUser` method.
All passport strategies expect us to provide a `verify` callback. By default, `@apostrophecms/passport-bridge` passes its `findOrCreateUser` function as the `verify` callback, which works for many strategies including `passport-oauth2`, `passport-github2` and `passport-gitlab2`. For other strategies, you can pass an explicit `verify` option which will remap the strategy `verify` method to our `@apostrophecms/passport-bridge` `findOrCreateUser` method.
Copy link
Member Author

@boutell boutell Jul 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made some wording improvements regarding verify, I didn't change it.

boutell
boutell commented Jul 3, 2025
View reviewed changes
README.md

That function accepts the normal verify callback from the passport bridge module, and returns an alternative function which accepts `req`, plus the arguments that are typical for `passport-auth0` or the strategy of your choice, and then invokes the normal verify callback with the arguments it expects, returning the result.

### Working with `oidc-client` and other passport strategies that don't follow typical patterns
Copy link
Member Author

@boutell boutell Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the juicy new feature.

boutell
boutell commented Jul 3, 2025
View reviewed changes
index.js

for (const strategy of self.options.strategies) {
const spec = klona(strategy);
for (let spec of self.options.strategies) {
Copy link
Member Author

@boutell boutell Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

freeing up the variable name strategy for the actual strategy object.

boutell
boutell commented Jul 3, 2025
View reviewed changes
index.js
// sensibly. But we can do it by making a dummy strategy object now
const dummy = new Strategy({
callbackURL: 'https://dummy/test',
const dummy = await factory({
Copy link
Member Author

@boutell boutell Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this edge case will rarely be used with a factory function, but must be thorough

boutell
boutell commented Jul 3, 2025
View reviewed changes
index.js
self.strategies[spec.name] = strategy;
self.apos.login.passport.use(strategy);
if (strategy._oauth2) {
// This will only work with strategies that actually have an _oauth2 object
Copy link
Member Author

@boutell boutell Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not everything is oauth2 based. Oops. A bug fix.

Copy link
Member Author

@boutell boutell Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this we get a crash with strategies that can't support automatic token refresh. Which isn't even important unless you're reusing the tokens for API calls.

haroun
haroun approved these changes Jul 4, 2025
View reviewed changes
Copy link
Contributor

@haroun haroun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are tiny request changes in the doc, the rest is ok

boutell and others added 2 commits July 7, 2025 08:32
@boutell @haroun
Update README.md
695b417 
Co-authored-by: haroun <[email protected]>
@boutell @haroun
Update README.md
e951d6a 
Co-authored-by: haroun <[email protected]>
@boutell boutell merged commit 12123e1 into main Jul 7, 2025
9 checks passed
@boutell boutell deleted the pro-8013 branch July 7, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@haroun haroun haroun approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@boutell @haroun