I want to allow my app's users to log in with various OAuth providers (Facebook, Google, Github, etc.). My app does not actually need to access anyone's API; I'm just providing these logins as a convenience.
My client (native app) performs the implicit authorization flow and returns some stuff, which it sends to my API. How do I then validate the stuff before providing access to my own resources?
I say "stuff" because, for Google, it's actually the id_token that I can verify (using Google's public key). But it seems like in the general case, I'd need to use an access token and validate it by actually making an API request with it to some endpoint on the provider's resource server. Obviously this means I have to handle each different OAuth provider separately.
Identity-as-a-service providers like Okta and Auth0 streamline this by reconciling all the different identity providers and methods. Unfortunately these get prohibitively expensive over a few thousand users (at least, on the public pricing page).
Questions:
- Is it non-standard to use OAuth in this way, purely as an authentication mechanism without actually calling any APIs? Am I missing some obvious better way to do this?
- Are there libraries that normalize all these distinct OAuth flows, somewhat akin to Okta or Auth0 but without the subscription cost? (And hopefully provide some support for a username/password login flow, including password resets, as well?)
