Create RFC for Identities #57
Conversation
645773c to
a0a15fe
Compare
a0a15fe to
b51e46b
Compare
023-connected-accounts/README.md
Outdated
|
|
||
| ##### List Connected Accounts | ||
|
|
||
| **GET /v1/account/connected** |
There was a problem hiding this comment.
Connected accounts is very misleading. When I first heard of it I thought it was about connecting 2 existing Appwrite accounts and allowing to switch between them. This features is actually just refactoring of how we handle OAuth2.
023-connected-accounts/README.md
Outdated
|
|
||
| ##### List Connected Accounts | ||
|
|
||
| **GET /v1/account/connected** |
There was a problem hiding this comment.
| **GET /v1/account/connected** | |
| **GET /v1/account/oauth2/connections** |
Connected accounts is very misleading. When I first heard of it I thought it was about connecting 2 existing Appwrite accounts and allowing to switch between them. This features is actually just refactoring of how we handle OAuth2. Also, the connected is a past tense verb where a REST API should be represented by nouns.
There was a problem hiding this comment.
Wouldn't it be useful to make this flexible so that we could support other connections? Maybe multiple phone numbers or linking multiple emails? Merging Appwrite users can also be helpful.
023-connected-accounts/README.md
Outdated
|
|
||
| ##### Get a Connected Account | ||
|
|
||
| **GET /v1/account/connected/{id}** |
There was a problem hiding this comment.
| **GET /v1/account/connected/{id}** | |
| **GET /v1/account/oauth/connections/{id}** |
023-connected-accounts/README.md
Outdated
|
|
||
| ##### Connecting to an OAuth2 provider | ||
|
|
||
| 1. User makes authenticated API call to `GET /v1/account/sessions/oauth2/{provider}` |
There was a problem hiding this comment.
Is it safe to assume that the main difference here from the existing flow is that if a user is already logged in with Appwrite when creating an OAuth session the OAuth connection will be attached to their current account regardless of the email?
023-connected-accounts/README.md
Outdated
| If possible, explain what actions we can take to avoid that. | ||
| --> | ||
|
|
||
| The existing OAuth2 APIs will still work as they do now. The only difference is a connected account will be created if one does not exist. |
There was a problem hiding this comment.
This is a better place in the RFC to discuss data migrations due to changes in data structure.
023-connected-accounts/README.md
Outdated
|
|
||
| <!-- Write your answer below. --> | ||
|
|
||
| 1. How to connect an account on mobile? |
There was a problem hiding this comment.
What is the main challenge? Passing the current use session token to the webview?
There was a problem hiding this comment.
If yes, we could consider another form of short living token with limited access rights. We have similar problems with file previews and other resources as well.
023-connected-accounts/README.md
Outdated
| <!-- Write your answer below. --> | ||
|
|
||
| 1. How to connect an account on mobile? | ||
| 2. Should we support a way to get all connected accounts from a particular provider? |
There was a problem hiding this comment.
We can do this using the list endpoint queries.
023-connected-accounts/README.md
Outdated
|
|
||
| 1. How to connect an account on mobile? | ||
| 2. Should we support a way to get all connected accounts from a particular provider? | ||
| 3. What to do after a connected accounts refresh token no longer works? |
There was a problem hiding this comment.
I would expect maybe something 401, which can notify the developer they need to re-authenticate the OAuth session to obtain a new access token. How often does this happen today for the different providers? how long would an average access token last before expiration?
There was a problem hiding this comment.
I would expect maybe something 401
You mean if the user is using an OAuth2 session? This means we would need to check the refresh token on each request or something.
In addition, we may need to check the tokens on each list connected accounts API call so that we properly return the correct status.
023-connected-accounts/README.md
Outdated
| 1. How to connect an account on mobile? | ||
| 2. Should we support a way to get all connected accounts from a particular provider? | ||
| 3. What to do after a connected accounts refresh token no longer works? | ||
| 4. What should happen to related sessions when a connected account is deleted? |
There was a problem hiding this comment.
I would leave this unattached. If dev wish to take action here, they can delete relevant sessions with existing APIs. I wouldn't be opinionated and decide that deleting an account is necessarily connected with a security concern, this is not always the case.
023-connected-accounts/README.md
Outdated
| 2. Should we support a way to get all connected accounts from a particular provider? | ||
| 3. What to do after a connected accounts refresh token no longer works? | ||
| 4. What should happen to related sessions when a connected account is deleted? | ||
| 5. What should happen to a connected account when the related session is deleted? |
There was a problem hiding this comment.
Nothing. You can logout, it doesn't imply you want your connection removed. If developers want for any reason to tie the two together they can do it using the two relevant APIs.
b51e46b to
d82c2b2
Compare
d82c2b2 to
19579b8
Compare
Allow users to connect multiple accounts to their Appwrite account regardless of the email address in the external system.
19579b8 to
400229a
Compare
Rendered: https://github.com/appwrite/rfc/blob/feat-023-connected-accounts/023-identities/README.md
What does this PR do?
Proposal for separating OAuth2 from Sessions
Related PRs and Issues
TBD
Have you read the Contributing Guidelines on issues?
Yes