Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Allow passing the value of "approval_prompt" as a flag or option. #131

Merged
merged 1 commit into from
Aug 27, 2015
Merged

Allow passing the value of "approval_prompt" as a flag or option. #131

merged 1 commit into from
Aug 27, 2015

Conversation

ebardsley
Copy link
Contributor

No description provided.

@jehiah
Copy link
Member

jehiah commented Jul 27, 2015

Hi @ebardsley Thanks for the contribution.

Can you share what provider you were adding this for? I think the feature could be useful but i need to think about implementation as i imagine different providers handle approval prompts differently.

@ebardsley
Copy link
Contributor Author

I'm using this w/ Google as the provider. Previously, Google Accounts would
prompt me for "offline access" when going through the Oauth flow when I was
already logged into the Google account; with this, it just redirects back
to the protected site and login is "transparent".

On Mon, Jul 27, 2015 at 9:25 AM, Jehiah Czebotar notifications@github.com
wrote:

Hi @ebardsley https://github.com/ebardsley Thanks for the contribution.

Can you share what provider you were adding this for? I think the feature
could be useful but i need to think about implementation as i imagine
different providers handle approval prompts differently.


Reply to this email directly or view it on GitHub
#131 (comment).

@jehiah
Copy link
Member

jehiah commented Jul 28, 2015

@ebardsley Thanks that context is helpful.

What version of oauth2_proxy were you using? Some recent changes added the ability to transparently refresh sessions (via --cookie-refresh) so they are essentially perpetually valid (though enforced that you actually still have a working token). That should remove/eliminate most needs to transparently re-auth which sounds like your goal. (And, as a bonus, cookie-refresh works in cases where a transparent loop through the oauth flow would not like a POST request).

@ebardsley
Copy link
Contributor Author

I dug into timing a bit, and found that when I first wrote up these changes
(before cleaning them up and sending them out) it was late Apr, before the
cookie-refresh changes went in. The new --cookie-refresh stuff definitely
helps and is useful.

That said, I still occasionally hit the protected site on new devices, or
with browsers that don't keep cookies between sessions, or in incognito
mode; assuming that I'm already logged into a Google account w/ a valid
oauth grant, I'd rather have that part work transparently, thus this added
option.

FYI, the other change, which I was planning to send later, redirects
directly into the flow instead of showing a sign-in page, so between that
change and this, removes all (two) interstitial pages from the login flow
for a site that already has a valid grant for a Google account. (See:
ebardsley/oauth2_proxy@master...ebardsley:redirect
)

On Mon, Jul 27, 2015 at 5:36 PM, Jehiah Czebotar notifications@github.com
wrote:

@ebardsley https://github.com/ebardsley Thanks that context is helpful.

What version of oauth2_proxy were you using? Some recent changes added the
ability to transparently refresh sessions (via --cookie-refresh) so they
are essentially perpetually valid (though enforced that you actually still
have a working token). That should remove/eliminate most needs to
transparently re-auth which sounds like your goal. (And, as a bonus,
cookie-refresh works in cases where a transparent loop through the oauth
flow would not like a POST request).


Reply to this email directly or view it on GitHub
#131 (comment).

@jehiah
Copy link
Member

jehiah commented Jul 28, 2015

That's a good point that even with cookie refresh, this accelerates the auth process on a new device.

fyi: since oauth2_proxy supports custom templates I believe you should be able to accomplish the auto-initiate-oauth flow by using a template that has a meta refresh tag instead of waiting for users to click the sign-in button. You shouldn't need any code changes for that.

@ebardsley
Add a flag to set the value of "approval_prompt".
33045a7 
By setting this to "force", certain providers, like Google,
will interject an additional prompt on every new session. With other values,
like "auto", this prompt is not forced upon the user.
@ebardsley
Copy link
Contributor Author

Acknowledged regarding the templates, but that's not part of this pull
request. Is there anything else that you'd like to see to allow customizing
the value of "approval_prompt"?

On Tue, Jul 28, 2015 at 5:02 AM, Jehiah Czebotar notifications@github.com
wrote:

That's a good point that even with cookie refresh, this accelerates the
auth process on a new device.

fyi: since oauth2_proxy supports custom templates I believe you should be
able to accomplish the auto-initiate-oauth flow by using a template that
has a meta refresh tag instead of waiting for users to click the sign-in
button. You shouldn't need any code changes for that.


Reply to this email directly or view it on GitHub
#131 (comment).

@ebardsley
Copy link
Contributor Author

@jehiah Is there anything else that you'd like for this pull request?

@jehiah jehiah mentioned this pull request Aug 27, 2015
Closed
@ebardsley
Copy link
Contributor Author

Also note that the default behavior ("force") with this change remains unchanged; it simply makes it possible to change approval_prompt if desired.

jehiah added a commit that referenced this pull request Aug 27, 2015
@jehiah
Merge pull request #131 from ebardsley/master
d1c0208 
Allow passing the value of "approval_prompt" as a flag or option.
@jehiah jehiah merged commit d1c0208 into bitly:master Aug 27, 2015
@jehiah
Copy link
Member

jehiah commented Aug 27, 2015

thanks @ebardsley! sorry for the delay in catching up on this PR

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ebardsley @jehiah