projects/sso_auth_axum/README.md
This project demonstrates various methods of implementing Single Sign-On (SSO) authorization using OAuth, specifically with the OAuth2 library. The primary focus is on the Authorization Code Grant flow.
Initiating Sign-In: When a user clicks the 'Sign In With {THIRD PARTY SERVICE}' button, the request is sent to a server function. This function retrieves an authorization URL from the third-party service.
CSRF Token Handling: During the URL fetch, a CSRF_TOKEN is generated and confirmed by the service to mitigate Cross-Site Request Forgery attacks. Learn more about CSRF here. This token is stored on our server.
User Redirection: Post-login, users are redirected to our server with a URL formatted as follows:
http://your-redirect-uri.com/callback?code=AUTHORIZATION_CODE&state=CSRF_TOKEN
Note: Additional parameters like Scope and Client_ID may be included by the service.
Token Acquisition: The 'code' parameter in the URL is not the actual service token. Instead, it's used to fetch the token. We verify the CSRF_TOKEN in the URL against our server's stored token for security.
Access Token Usage: With a valid CSRF_TOKEN, we use the AUTHORIZATION_CODE in an HTTP Request to the third-party service. The response typically includes:
access tokenexpires_in value (time in seconds until token expiration)refresh token (used to renew the access token)Email Retrieval and Display: The access token allows us to retrieve the user's email. This email is then displayed in our Email Display App.
Session Management: The expires_in value is sent to the client. The client uses this to set a timeout, ensuring that if the session is still active (the window hasn't been closed), it automatically triggers a token refresh when required.
This example cannot be built as a trunk standalone CSR-only app. Only the server may directly connect to the database.
cargo-leptos is now the easiest and most featureful way to build server side rendered apps with hydration. It provides automatic recompilation of client and server code, wasm optimisation, CSS minification, and more! Check out more about it here
Commands that run the program, cargo leptos watch, cargo leptos serve, cargo run etc... All need the following Environment variables G_AUTH_CLIENT_ID : This is the client ID given to you by google. G_AUTH_SECRET : This is the secret given to you by google. NGROK : this is the ngrok endpoint you get when you run ngrok http 3000
After running your app, run
ngrok http 3000
Then use google api's and services, go to credentials, create credentials, add your app name, and use the ngrok url as the origin
and use the ngrok url with /g_auth as the redirect url. That will look like this https://362b-24-34-20-189.ngrok-free.app/g_auth
Save you client ID and secret given to you by google. Use them as Envars when you run the program as below
REDIRECT_URL={ngrok_redirect_url} G_AUTH_CLIENT_ID={google_credential_client_id} G_AUTH_SECRET={google_credential_secret} {your command here...}
cargo install --locked cargo-leptos
cargo leptos watch
Open browser on http://localhost:3000/
cargo leptos build --release
To run it as a server side app with hydration, you'll need to have wasm-pack installed.
[package.metadata.leptos] section and set site-root to ".". You'll also want to change the path of the <StyleSheet / > component in the root component to point towards the CSS file in the root. This tells leptos that the WASM/JS files generated by wasm-pack are available at ./pkg and that the CSS files are no longer processed by cargo-leptos. Building to alternative folders is not supported at this time. You'll also want to edit the call to get_configuration() to pass in Some(Cargo.toml), so that Leptos will read the settings instead of cargo-leptos. If you do so, your file/folder names cannot include dashes.cargo install wasm-pack
wasm-pack build --target=web --debug --no-default-features --features=hydrate
cargo run --no-default-features --features=ssr