K
Kinde6mo ago
mariodebono

Login from a device that does not support callbacks

Hi, I need to let users authenticate from a device that cannot receive callbacks. I was thinking that there is a way with PKCE to have an API to act as an intermediary and finally call the /token with the code and the code_verifier on the client to get the token. here is the flow I was thinking: 
/**
 * 1. Device initiates authentication by launching a browser and making a GET request to the API:
 *    GET my-api/login?challenge=<S256_challenge>&device_id=<unique_device_id>
 *    - The device generates a S256 code challenge and includes it in the request along with a unique id.
 * 
 * 2. The API redirects the user to the authorization server for login:
 *    Redirect to /auth?...&code_challenge=<S256_challenge>&callback=my-api/callback&state=<unique_device_id>
 *    - including the S256 challenge, and the device's ID as the state parameter.
 * 
 * 3. The user completes the login process in the browser.
 * 
 * 4. Upon successful login, the authorization server redirects the user to the API callback URL:
 *    my-api/callback
 *    - The API stores the received authorization code.
 * 
 * 5. The device periodically polls the API to check the status for code:
 *    Device makes a GET request to my-api/status?device_id=<unique_device_id>
 *    - The device sends its unique ID to check if the authorization code is ready.
 * 
 * 6. The API responds with the authorization code if available:
 *    - The API sends the stored authorization code back to the device.
 * 
 * 7. The device exchanges the authorization code for tokens:
 *    Device makes a POST request to the token endpoint:
 *    POST https://your_kinde_subdomain.kinde.com/oauth2/token
 *    - The request includes the code verifier, authorization code, client ID, and redirect URI.
 * 
 * 8. The device receives the tokens:
 *    - The authorization server responds with the access token and ID token.
* */
/**
 * 1. Device initiates authentication by launching a browser and making a GET request to the API:
 *    GET my-api/login?challenge=<S256_challenge>&device_id=<unique_device_id>
 *    - The device generates a S256 code challenge and includes it in the request along with a unique id.
 * 
 * 2. The API redirects the user to the authorization server for login:
 *    Redirect to /auth?...&code_challenge=<S256_challenge>&callback=my-api/callback&state=<unique_device_id>
 *    - including the S256 challenge, and the device's ID as the state parameter.
 * 
 * 3. The user completes the login process in the browser.
 * 
 * 4. Upon successful login, the authorization server redirects the user to the API callback URL:
 *    my-api/callback
 *    - The API stores the received authorization code.
 * 
 * 5. The device periodically polls the API to check the status for code:
 *    Device makes a GET request to my-api/status?device_id=<unique_device_id>
 *    - The device sends its unique ID to check if the authorization code is ready.
 * 
 * 6. The API responds with the authorization code if available:
 *    - The API sends the stored authorization code back to the device.
 * 
 * 7. The device exchanges the authorization code for tokens:
 *    Device makes a POST request to the token endpoint:
 *    POST https://your_kinde_subdomain.kinde.com/oauth2/token
 *    - The request includes the code verifier, authorization code, client ID, and redirect URI.
 * 
 * 8. The device receives the tokens:
 *    - The authorization server responds with the access token and ID token.
* */
Are there any ways to do this other than the above (if the above is possible)?
2 Replies
mariodebono
mariodebonoOP6mo ago
Hi, in the meantime I gave it a shot. Calling the /token from the same API in the callback worked, however calling the /token from my app that does not support callback (same pc) gives me the following error. 
{"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code challenge did not match the code verifier."}
{"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code challenge did not match the code verifier."}
Am I doing something wrong? or will this never work? any solutions for this? let me know if you need more info.
onderay
onderay6mo ago
Hey @mariodebono awesome to see you digging into a use case for Kinde. Will need to check this with the team, as certainly havent it being done without callback before.
Want results from more Discord servers?
Add your server