Oauth2 and google example?

[zchira]

I already have service that supports api_key authorization:

#[derive(SecurityScheme)]
#[oai(
    ty = "api_key",
    key_name = "Authorization",
    key_in = "header",
    checker = "auth::user_checker"
)]
struct MyAppApiKeyAuthorization(String);

I would like to add oauth2 (to support login with google account).
There is an option for SecurtySchema ty = oauth2 but I couldn't find any example.

I am not sure where/how to use data provided by google:

   "web" : {
      "auth_provider_x509_cert_url" : "https://www.googleapis.com/oauth2/v1/certs",
      "auth_uri" : "https://accounts.google.com/o/oauth2/auth",
      "client_id" : "GENERATED_CLIENT_ID.apps.googleusercontent.com",
      "client_secret" : "GENERATED_CLIENT_SECRET",
      "project_id" : "MY_PROJECT_ID",
      "token_uri" : "https://oauth2.googleapis.com/token"
   }

[zchira]

what I did so far:

#[derive(SecurityScheme)]
#[oai(
    ty = "oauth2",
    flows(
        authorization_code
            (
                authorization_url="https://accounts.google.com/o/oauth2/auth",
                token_url="https://oauth2.googleapis.com/token",
                refresh_url="",
                scopes= "GoogleScopes"
            )
        )

)]
struct MyAppOAuthAuthorization(poem_openapi::auth::Bearer);

#[derive(OAuthScopes)]
enum GoogleScopes {
    #[oai(rename = "https://www.googleapis.com/auth/userinfo.email")]
    UserInfoEmail,
    #[oai(rename = "https://www.googleapis.com/auth/userinfo.profile")]
    UserInfoProfile
}

I also checked the example for github oauth - https://github.com/poem-web/poem/blob/7c9cff63afd54da62d637d49a91d7eb806b4a446/examples/openapi/auth-github/src/main.rs

Here is the screenshot from swagger UI:

Why client_id and client_secret are required? I would expect to embed them somewhere into the code?
If I create some API and want to add support for google auth, I would expect the following steps are needed for that:

1. create an app on Google Dev console
2. use info (client_id, auth_url, client_secret, redirect_url etc...) to connect my poem service with google oauth service

[zchira]

Update:

added endpoint

    #[oai(path = "/oauth-google", method = "get", tag = "ApiTags::Auth")]
    async fn oauth_google(.....)

I am using oauth2 crate to perform google auth calls:

    /// Auth endpoint for oauth2 auth with google account
    #[oai(path = "/oauth-google", method = "get", tag = "ApiTags::Auth")]
    async fn oauth_google(&self, req: &Request) -> MyResponse {

        let client =
            BasicClient::new(
                ClientId::new("XXXXXXXXXXXXX.apps.googleusercontent.com".to_string()),
                Some(ClientSecret::new("YYYYYYYYYY".to_string())),
                AuthUrl::new("https://accounts.google.com/o/oauth2/auth".to_string()).unwrap(),
                Some(TokenUrl::new("https://oauth2.googleapis.com/token".to_string()).unwrap())
                )         
            .set_redirect_uri(RedirectUrl::new("http://localhost:3666/redirect".to_string()).unwrap());

        // Generate a PKCE challenge.
        let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
    
        // Generate the full authorization URL.
        let (auth_url, csrf_token) = client
            .authorize_url(CsrfToken::new_random)
            // Set the desired scopes.
            .add_scope(Scope::new("https://www.googleapis.com/auth/userinfo.email".to_string()))
            .add_scope(Scope::new("https://www.googleapis.com/auth/userinfo.profile".to_string()))
            // Set the PKCE code challenge.
            .set_pkce_challenge(pkce_challenge)
            .url();

         // This is the URL you should redirect the user to, in order to trigger the authorization
        // process.
        println!("Redirect to: {}", auth_url);

       MyResponse::Redirect(auth_url.to_string())
    }

This will initiate oauth flow with google, and at the end it will redirect to /redirect endpoint:

    #[oai(path = "/redirect", method = "get", tag = "ApiTags::Auth")]
    async fn redirect_from_oauth(&self, req: &Request, state: Query<Option<String>>, code: Query<Option<String>>, session: &poem::session::Session) -> Result<(), Error> {

        let state = match state.0 {
            Some(s) => {
                s
            },
            None => "".to_string(), // return err
        };

        let code = match code.0 {
            Some(s) => {
                s
            },
            None => "".to_string(), // return err
        };

        let client =
            BasicClient::new(
                ClientId::new("XXXXXXXXXXXXX.apps.googleusercontent.com".to_string()),
                Some(ClientSecret::new("XXXXXXXXXXXXYYYYYYY".to_string())),
                AuthUrl::new("https://accounts.google.com/o/oauth2/auth".to_string()).unwrap(),
                Some(TokenUrl::new("https://oauth2.googleapis.com/token".to_string()).unwrap())
                )
            // Set the URL the user will be redirected to after the authorization process.
            .set_redirect_uri(RedirectUrl::new("http://localhost:3666/boiler/redirect".to_string()).unwrap());

        // csrf check is needed here , pkce_verifier is also needed...
        // maybe pkce_verifier should be added to the app_state so we can get it here?
        let pkce_verifier = get_pkce_verifier_somehow();

        
        let token_result = client
             .exchange_code(AuthorizationCode::new(code))
             // Set the PKCE code verifier.
             .set_pkce_verifier(pkce_verifier))
             .request_async(async_http_client)
             .await.unwrap();

        println!("Token result: {:#?}", token_result);
        println!("Token:  {:#?}", token_result.access_token().secret());

        let cl = reqwest::Client::new();
        let response = cl.get(format!("https://www.googleapis.com/oauth2/v3/userinfo?access_token={}", token_result.access_token().secret())).send().await.map_err(|_| Error::generic_error(""))?;

        let json = response.json::<serde_json::Value>().await.map_err(|_| Error::generic_error(""))?;
        println!("Response: {:#?}", json);

        Ok(())
    }

At the end of /redirect handler we have access_token and userinfo from google API and we can store it to the session, cookie. etc...

So, basically I have dirty solution which probably needs some improvements. CSFR check is not perfirmed, pkce_verifiers also should be accessible in /redirect handler, client is created twice... Also, maybe there is a way to use some poem structs to communicate with googleAPI insted of using oauth2 crate (I saw that poem also has some Csrf and CsrfToken structs....)