Example of ember-simple-auth-oauth2 session data

Question

In my Rails app, I am trying to set a cookie to be picked up by Ember Simple Auth's cookie store after the page has loaded. I am using the Ember Simple Auth OAuth2 authorizer.

Right now, I am just planting the OAuth data directly as the cookie value:

{
  "token_type": "bearer",
  "access_token": "3ec78864cc017982fdeeb0c092bfbea3f104df1e18c9c67f222581d9353f3fce",
  "refresh_token": "cb03c07b8845ea7b40251b0df46839177bd7b51b3dd1d23f167890b9e1549f07",
  "created_at": 1436454055,
  "expires_in": 7060,
  "expires_at": 1436461254
}

I'm guessing this isn't what Ember Simple Auth expects because the syncData function reads it once and then replaces it with this value after the next cookie poll:

{ secure: {} }

What should the data look like for OAuth 2? I'm guessing it's the same no matter how it's stored (cookie vs. local storage vs. ephemeral storage).

After looking at this screenshot from this post, I figure I'm probably way off, and I've been having trouble understanding where to poke around in the Ember Simple Auth source to figure this out.

score 1 · Accepted Answer · answered Jul 09 '15 at 16:05

1

Ember Simple Auth only uses the cookie to store its internal state. The cookie cannot be set from the server and also should not be used on the server side. The library is solely meant for implementing token authentication for stateless (= cookie-less) APIs.

See the README for more info about how OAuth 2.0 works with ESA: https://github.com/simplabs/ember-simple-auth/tree/master/packages/ember-simple-auth-oauth2#ember-simple-auth-oauth-20

answered Jul 09 '15 at 16:05

marcoow

4,062
1
14
21

The API happens to be stateless. I was hoping to have a 2nd Rails app as a proxy that authenticates the user and then injects a lot of data into the HTML before passing off to Ember. I don't even know that FastBoot would be helpful in this situation if its main purpose would be to serve the login screen to the user. (I'm interested in the Rails proxy serving what happens _after_ the login screen.) – Chris Peters Jul 09 '15 at 17:06
APIs using cookies are generally not considered stateless. Anyhow, the way you're trying to use Ember Simple Auth was never an intended use case for the library and isn't going to work. You'll need to authenticate the client via an authenticator and then use an authorizer to authorize requests. – marcoow Jul 10 '15 at 07:13
The API doesn't use cookies. I never said that. :) I understand from your explanation that Ember Simple Auth wasn't designed for what I had in mind. That's fine, and I am currently looking into other options, including scrapping the proxy app idea or even perhaps writing my own authentication logic. Seriously, I appreciate the time you took to answer my question and consider the craziness that I am pursuing. – Chris Peters Jul 10 '15 at 13:01

score 0 · Answer 2 · answered Jul 20 '15 at 14:05

I believe that Marco's advice in the accepted answer should be followed if at all possible.

But, poking around a little more, I figured out that the cookie content would need to look like this in order for Ember Simple Auth OAuth 2 to recognize it:

{
  "secure": {
    "authenticator": "simple-auth-authenticator:oauth2-password-grant",
    "token_type": "bearer",
    "access_token": "3ec78864cc017982fdeeb0c092bfbea3f104df1e18c9c67f222581d9353f3fce",
    "refresh_token": "cb03c07b8845ea7b40251b0df46839177bd7b51b3dd1d23f167890b9e1549f07",
    "created_at": 1436454055,
    "expires_in": 7060,
    "expires_at": 1436461254
  }
}

Of course, there are some drawbacks to this approach, namely that upgrading Ember Simple Auth could break if it changes the format of how it stores this data.

If you set cookies from another app like I'm attempting to do, you'd need to be mindful about reviewing this format after each update of Ember Simple Auth. The best way to accomplish this is to create a blank Ember app with Simple Auth installed and configured, then review the format of the data that it stores after you sign in to the app.

The best way to authenticate an Ember app using Ember Simple Auth from a cookie set in another app is really to implement a custom authenticator that reads that cookie and authenticates accordingly. That way you make sure you're not depending on ESA internals and encapsulate the dependency on the cookie from the other application in the custom authenticator. — marcoow, Jul 20 '15 at 19:17
Yeah, I was poking around at the Heroku dashboard, which appears to be doing something similar to what I'm trying to accomplish. (Their server injects user data into `window.ENV` in the HTML markup.) I'm guessing that they may be doing exactly what you describe. They're even using Ember Simple Auth! — Chris Peters, Jul 20 '15 at 20:10

Example of ember-simple-auth-oauth2 session data

2 Answers2