OAuth in API-Only App

[Graditude-Dev]

Hey @janko - big fan of the library! I realized that our OAuth implementation was out-of-date, and I was wondering how I could go about translating it. We're using Rodauth for authentication in an API Only Mode app, with a separate React frontend.

I was reading your article here and had some questions.

1.) Where do scopes come into play here? In our old configuration, we had to specify the scope of the API, the fields and the callback_path. Do you not have to do that in your Omniauth extension?
2.) Does this support 3-legged OAuth? I'm following the LinkedIn documentation here. What would be the best way of going about it? My client would be producing a URL, and then I need to have a specific callback route in my backend application.

An API-Only tutorial/some help here would be super appreciated!

Old Setup for context

Originally, I had a middleware, called omniauth.rb -

Rails.application.config.middleware.use P do
  provider :linkedin, ENV["LINKEDIN_CLIENT"], ENV["LINKEDIN_SECRET"], scope: %w[r_emailaddress r_liteprofile],
  fields: %w[id first-name last-name email-address picture-url], callback_path: "/api/v1/auth/linkedin/callback", provider_ignores_state: true
end

which connected to a custom method in my Rodauth Controller:

class Api::V1::RodauthController < Api::V1::ApplicationController
  before_action :authenticate, only: [:profile]

  def omniauth
    auth = request.env["omniauth.auth"]

    # attempt to find existing identity directly
    identity = AccountIdentity.find_by(provider: auth["provider"], uid: auth["uid"])
    info = auth["info"]
    if identity
      # update any external info changes
      identity.update!(info: info)
      # set account from identity
      account = identity.account
    end

    # attempt to find an existing account by email
    account ||= Account.find_by(email: info["email"])

    # disallow login if account is not verified
    if account && account.status != "verified"
      redirect_to rodauth.login_path, alert: rodauth.unverified_account_message
      return
    end

    # create new account if it doesn't exist
    account ||= Account.create!(email: info["email"], status: rodauth.account_open_status_value, 
                                first_name: info["first_name"], last_name: info["last_name"], picture_url: info["picture_url"])

    # create new identity if it doesn't exist
    account.identities.create!(provider: auth["provider"], uid: auth["uid"], info: info) unless identity

    # load the account into the rodauth instance
    # rodauth.account_from_login(account.email)

    # rodauth_response do # ensures any `after_action` callbacks get called
    #   # sign in the loaded account
    #   rodauth.login("omniauth")
    # end
    rodauth.account_from_login(account.email)
    rodauth.login_session("omniauth")
    redirect_to ENV["DASHBOARD_URL"]
  end
end

We had a generic route-setup, mapping a callback like so:

get "/auth/:provider/callback", to: "rodauth#omniauth"

[mdodell]

I realized that there was a rodauth-omniauth repository, and I started a better discussion there. I definitely would rather use that gem, and I made a proof-of-concept repo to help me figure out what I'm trying to do here. (I am also @Graditude-Dev, this is just my personal account).