[Spike] How to migrate apps using loopback-component-oauth2

[bajtos]

This is a follow-up for #3718 and #3922.

Write content for docs/site/migration/auth/oauth2.md, explain how to migrate LB3 applications using loopback-component-oauth2 to LB4.

Acceptance criteria

• Migration guide describing manual steps

[bajtos]

I think this story will require a spike first.

[emonddr]

This is for server side.

We don't intend on supporting our own oauth2 server module.

• Point them to existing infrastructure (social website passport modules)
• need to document how they can use these social website ones. We need to describe the LB4 authentication and authorization steps to enable the usage of access tokens from external oauth2 providers.

[dhmlau]

@deepakrkris, I'm assigning this issue to you because you've done part of the work already.

[jannyHou]

A proposal:

• Create an example app
• It contains migrated models with their REST apis
• It registers authenticate from loopback-component-oauth2 as a middleware
  • based on PR feat(rest): enable Express middleware to be used as interceptors with LoopBack #5118
• It secures endpoints with the middleware configuration, adds tests for them
  • e.g. app.oauth2.authenticate({session: false, scope: 'demo basic'});
  • see reference
• Add tests for the created model's endpoints to test the functionalities
  • AuthCodeGrant
  • AuthToken
  • OAuthPermission
  • grant
  • grant password
  • grant refresh token
  • jwt

[jannyHou]

Had a chat with @raymondfeng , thank you for providing feedback!

loopback-component-oauth2 is used to setup a LoopBack application as an oauth2 server. This can be applied in an API gateway application but for the common cases, a LB4 app usually talks to existing 3rd-party oauth2 servers like google or facebook, instead of turning itself as a provicer.

In LoopBack 4, @deepakrkris recently created an example application showing how to login with 3rd-party providers and secure the endpoints in https://github.com/strongloop/loopback-next/tree/master/examples/passport-login. At this stage, it would be good enough for developers to learn and follow.

In case you really want to turn a LoopBack 4 application as an oauth2 provider, here are some tips of how to migrate:

• mount the authenticate as an express middleware. (based on PR feat(rest): enable Express middleware to be used as interceptors with LoopBack #5118)
• migrate models using lb4 import-lb3-models

cc @dhmlau are we good to close it?

[dhmlau]

@jannyHou, if this issue duplicates what @deepakrkris is doing for #3958, then let's close this one. Thanks.

[jannyHou]

@dhmlau I rephrased the comment a bit. Deepak's repo (and all the examples/feats we’ve implemented so far) uses 3rd-party oauth2 provider like google/fb, but that component sets up a LoopBack app itself as an oauth2 provider, which is a rare use case.
API gateway used it long time ago.
It’s not a dup task, but is a rare case and the migration is very complicated.

[deepakrkris]

@jannyHou, agreed, the scope of this task is too broad.
What we can do is come up a lb4 version of the mock provider in https://github.com/strongloop/loopback-next/blob/master/extensions/authentication-passport/src/__tests__/acceptance/fixtures/mock-oauth2-social-app.ts
if this is doable we can close this issue. IMO, lets not go too deep into the details of what loopback-component-oauth2 does.

[jannyHou]

Thanks everyone for the discussion, follow up story created in #5184 🙇‍♀️