Apple/Facebook OAuth

[robin-turnkey]

Adding Apple and Facebook OAuth buttons to demo app.

Some notes:

• The post-authentication step when the redirect is received by the demo app is quite slow. This is because neither Apple nor Facebook supports using an in-app callback to process the provider's response in the flow we need. The result is the user is redirected back to the demo app, which then has to load the iframe (adding another hop to Turnkey). In the case of Facebook, there is yet another hop after the iframe loads since we have to exchange an auth code for an OIDC token with Facebook's API (versus Apple, where it's done in a single round trip).
• Facebook's flow requires a verification code that is meant to be sent hashed with the initial redirect and then reconfirmed in non-hash form when the auth code is exchanged for a token. Normally, this would be done with some kind of persistent session; for the sake of simplicity I've opted to hash the verification code with a secret salt value, which can then be repeated serverside during the exchange.
• The Facebook and Apple buttons are custom-built with a logo and text; this is possible because the components we're using for these are either home-grown or provide a custom render prop. The Google component does not provide this option, hence the design being slightly incongruent between the Google button and the others. @taylorjdawson is taking this on as a followup task, as it is a slightly larger lift.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
demo-embedded-wallet	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 17, 2024 11:15pm

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	Transitive: environment	+4	219 kB	patelmayankce
npm/[email protected]	None	0	239 kB	keppelen

View full report↗︎