Ory.sh is an auth provider which allows integration via openid connect. We’ve tried creating an openid plugin in the auth plugin section. However, when we try to use it (login with popup or redirect) we simply get an error. The error has no details other than the following;
name: “Error”
As you can imagine, this error message is profoundly unhelpful. We suspect that we might be providing the wrong domain, but there is no guidance anywhere we can find on what to provide. Can anyone please provide some explicit guidance on integrating with an oidc provider or ory.sh in particular?
Hi, could you please share a screenshot of what you did (your configuration) ? If there is private information you can fill a ticket on support.weweb.io and we will handle it.
We got your comments but were unable to add comments of our own (saw no add comment button or anything to that effect). It seems the integration has a lot of complexity which isn’t documented anywhere. Is there any chance we might be able to get on a call with someone who knows how to do this kind of integration on weweb? Could be used as youtube content, I imagine.
Usually, in these situations one is composing a front-end, an auth service, and a business logic back-end. What are you using for your system’s back end?
Getting auth to work is often a bit complicated - it’s not plug-and-play. Lots of different providers, and the implementation details are different. Plus - for security reasons - there are terrible error messages, as you already alluded to. All of which is to say that you should give yourself permission to work it a bit.
Getting aut going is a pretty common topic over on our State Change office hours. Just this month our group worked with Outseta and Auth0 integration to cut down that work from days to hours.
Our back-end is a python flask application. We anticipate requiring a token for weweb to pass to our backend, which our backend can then use to recognize the request by authenticating it with our auth service (ory).
Given this system architecture, does it make more sense for us to abandon use of openid and attempt this integration using token-based authentication? It isn’t clear to me how to generate those with ory but I suspect it is possible.
Not a crazy idea. However, ory offers a rather superior product to supabase. I’d rather go through the pain of figuring out how weweb and ory work together to ultimately have a more powerful auth service over the long haul.
A URL to go to the third party auth page (sometimes this is deployed as an inline component)
A code in the URL that is “redirected” back from the auth page
Code on th page load of that URL that sends the code to your back-end (flask in this case)
The endpoint in your back-end that redeems an ID token and likely an access token from that authorization code based on knowing a client ID and client secret (and sometimes a bit more - depends on the details of implementation). Send the access token as a return value to the front end
Saving the access token on the front end to authenticate future requests to the back-end. Sometimes this requires a bit of code to override the default of how weweb does it.
Use that access token to authenticate your future requests to the back-end via a header.
OpenID and OIDC are just standards for how scopes are managed and information is presented in these circumstances. This flow is how we do OIDC with other third-party authentication systems, like most social logins too.
Hope some of the above helps! Auth is complicated, so patience carries the day!
