Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First draft of the Telegram strategy #152

Merged
merged 5 commits into from
Dec 29, 2024

Conversation

vheathen
Copy link
Contributor

@vheathen vheathen commented Jun 13, 2024

Resolves #153

Telegram offers a convenient way of authenticating users by allowing them to enter their Telegram phone number and confirm the request directly in the Telegram messenger app without a password.

However, they don’t support the traditional method of redirecting to their OAuth server to enter credentials. Instead, it is necessary to include their JS library on the page and either use an embedded iframe with a standard button (with limited styles) or - via an undocumented method - directly call the auth(callback) function with a callback to get the results. The official login widget also supports the redirect mode to a provided callback URL. This means that the authorize_url/1 call is useless for this implementation (more on this later).

Additionally, Telegram has published the Web Mini App API. This API allows direct interaction with many internal Telegram features. The Mini Web App is intended to be opened directly from the messenger app and to work inside the app.

To authenticate a user of a web app, Telegram sends a URL-encoded query string (protected by a hash) that contains all the initial data when opening the web app. This string doesn’t pass through a WebView instance and should be collected inside the frontend and sent to the backend for authentication. The backend needs to check the data’s authenticity by calculating the hash of the string and comparing it with the provided one, as well as validating the authentication date.

Returning to the authorization_url/1: it is possible to use it to create a script to embed in the HTML page. The generator, depending on config parameters, can then generate different embedding options. However, this contradicts the meaning of authorization_url.

But current functionality is full and works.

WDYT?

@danschultzer
Copy link
Collaborator

Thanks! I've refactored the strategy to conform with how other strategies are set up. There actually is a URL that can be used so I think we should just use that and have the script in the docs. This is in line with other strategies like Facebook and Apple where a JS widget can be used as well.

I have tested with this the Login Widget which works well, but haven't tested with the mini app.

@danschultzer danschultzer force-pushed the telegram_strategy branch 3 times, most recently from ba6e07d to 37ae300 Compare December 27, 2024 15:16
@danschultzer danschultzer merged commit 1a04a45 into pow-auth:main Dec 29, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Telegram authentication stratery
2 participants