As mentioned in this article, accessing GitHub API after authenticating with GitHub credentials through Auth0 looks to be a two step process. After authentication we get the Auth0 access token and using that we need to retrieve IDP’s (GitHub in this case) token. Also, this seems to require a server to be run?
While going through Firebase auth with GitHub documentation, I see that after authentication, we directly get GitHub’s access token which can be used to call GitHub API.
I’m playing around with GitHub API in a simple React app and don’t want to run a server separately for auth or as a proxy for GitHub API. Is there a way to get GitHub’s access token directly after authentication via Auth0? If not, what’s the reason?
Auth0 handles the authentication pipeline differently than Firebase when using external identity providers. Your application always sees Auth0 as the authorization server (the one that issues the access tokens and ID tokens) and, when using other identity providers, Auth0 acts as the client application requesting the authentication to the external provider.
So, with GitHub as an example, the access token issued by GitHub is meant to be used by Auth0 itself (to get information about the user), and is not issued directly to your application. We provide the token for internal processes (where the process was given explicit access to the management API to retrieve these tokens), but don’t return it directly to applications to avoid any possible misusage.
If you want a GH token directly in your app without a backend mediation, I would suggest that after the authorization stage takes place with Auth0 (for authentication and possibly a token for your own backend API) your application requests a token directly to GH (with the appropriate scopes that your application needs). If the user already used GH for authentication, there won’t be another authentication prompt. By getting the response directly from GH you also get information that will probably be useful to your app, like the token duration.
Thanks Nicolas for your response. So in case I request the token directly from GitHub, why would I need Auth0 in the middle since I don’t have any backend server? This is not a real app and I’m just trying out Auth0 with a sample app to access GitHub API. So just trying to understand how would the auth flow work with Auth0.
If you only set out to build an app that will do some work against the GH API on behalf of the user then you probably won’t need some of Auth0’s advantages like:
The ability to choose from a great number of authentication possibilities while coding against a single provider from your app, with the flexibility to change authentication methods on the fly (since your app would only accept people signing in with GitHub).
The ability to act as an OAuth2 authorization server to issue access tokens for your custom APIs (since you would only be accessing the GH API and not your own backend server)
The ability to run custom code (rules) as part of the authorization pipeline to keep track of logins, customize the claims and scopes that an application gets, add additional steps as well as perform custom authorization controls if necessary.
Provide SSO between multiple customs and commercial applications
Keep your own users database or connect to an existing one.
As soon as the scenario gets a little more complex Auth0 will become very handy. But in the particular scenario that you are describing now, getting the token directly from GH might be simpler (unless I’m missing some key requirements).
