Notes

Bhumil's demo app with Auth0 running here: http://45.79.248.56:3000/ I'll keep it up while we work on those specs.

Common

RecipeID: thirdparty

Questions for just third party login

• [ ] Can we build in a way so that users can add a custom social login if they'd like without us having to add any code? Similar to https://next-auth.js.org/configuration/providers#using-a-custom-provider

• [x] Can you switch between social login providers? Use Twitter once, then facebook, etc... I can't see why not.

• [x] Is it possible for an external login provider to not give us an email? If yes, should we support that kind?

  Yes. We should support that, as long as email verification is not required.

• [x] How does testing work? Can't rely on API calls to each providers. This is especially true for the core. We will need mock data.

  • [x] Yes. We can rely on their API..

• [ ] Some people might just want social login to facilitate sign up flow. Should we:

  • [x] Store tokens?
    • [x] Later.
  • [x] Send tokens to postSignUp callback?
    • [x] Yes.
  • [ ] Does that behaviour require a backend config?
    • [ ] Should we implement this version only first?
  • [ ] Revoke token right after signup?

• [ ] Some people might want social login to query the provider's API. In that case we need a valid token.

  • Do we store in the session JWT for access from the front end?
  • Do we check for auth token expiry? How? Timeout from frontend on expiry?
  • Do we prompt for OAuth flow when the token is not valid anymore?
  • Can we refresh the token indefinitely? Probably depends on the providers.
    • Access Token with Refresh Token
    • Never expiring access token
    • Expiring access token ⇒ Requiring new authorisation?

• [x] Do we do popup or full tab? I think it's hard enough to manage so that we don't have to care about popup state. I prefer doing full page.

  • [x] We can just have the full page.