Skip to content

Tpa auth client side #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Jun 6, 2025
Merged

Tpa auth client side #469

merged 12 commits into from
Jun 6, 2025

Conversation

OkGoDoIt
Copy link
Contributor

@OkGoDoIt OkGoDoIt commented May 22, 2025
edited
Loading

Add support for TPA webview user auth even in purely client-side webviews, by changing the the token exchange mechanism into a public key verifiable JWT with the user id.

Updates:

  1. cloud project to create the token
  2. manager app to use the new token in the webview (also send the old token type temporarily for compatibility)
  3. sdk to consume the new token (keep the old token type temporarily for compatibility)
  4. documentation to explain how to use with react or other frontend webview

This requires a TPA_AUTH_JWT_PRIVATE_KEY to be added to the cloud .env

@OkGoDoIt OkGoDoIt requested a review from isaiahb May 22, 2025 22:06
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

Deploying augmentos-account with  Cloudflare Pages  Cloudflare Pages

Latest commit: e5e2b46
Status: ✅  Deploy successful!
Preview URL: https://892848fd.augmentos-e84.pages.dev
Branch Preview URL: https://tpa-auth-client-side.augmentos-e84.pages.dev

View logs

isaiahb
isaiahb approved these changes May 23, 2025
View reviewed changes
Copy link
Collaborator

@isaiahb isaiahb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Awesome job 😄

@OkGoDoIt
Copy link
Contributor Author

This requires a TPA_AUTH_JWT_PRIVATE_KEY to be added to the cloud .env
Remember to add this to Porter and share on slack before merging

@OkGoDoIt
Copy link
Contributor Author

It looks like some older versions of android have a web view that doesn't support the JWT encryption. So I'm going to need to test this more before we merge it.

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jun 3, 2025
edited
Loading

Deploying prod-augmentos-account with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8578d5a
Status: ✅  Deploy successful!
Preview URL: https://a604b82c.augmentos-e84.pages.dev
Branch Preview URL: https://tpa-auth-client-side.augmentos-e84.pages.dev

View logs

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jun 3, 2025
edited
Loading

Deploying dev-augmentos-console with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8578d5a
Status:🚫  Build failed.

View logs

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jun 3, 2025
edited
Loading

Deploying augmentos-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: b68972a
Status: ✅  Deploy successful!
Preview URL: https://7309e4bb.augmentos-docs.pages.dev
Branch Preview URL: https://tpa-auth-client-side.augmentos-docs.pages.dev

View logs

@OkGoDoIt
Copy link
Contributor Author

OkGoDoIt commented Jun 4, 2025

I have fixed the issue with Android web views

It looks like some older versions of android have a web view that doesn't support the JWT encryption. So I'm going to need to test this more before we merge it.

I also added a new @augmentos/react library that simplifies making react frontends. The docs are also updated, see https://tpa-auth-client-side.augmentos-docs.pages.dev/react-webviews

@OkGoDoIt OkGoDoIt requested a review from isaiahb June 4, 2025 00:42
@OkGoDoIt
Copy link
Contributor Author

OkGoDoIt commented Jun 4, 2025

The next steps links in the react web view docs are broken:
https://tpa-auth-client-side.augmentos-docs.pages.dev/react-webviews/webview-auth-overview
etc

isaiahb
isaiahb approved these changes Jun 5, 2025
View reviewed changes
augmentos_docs/docs/reference/webview-auth.md Outdated
Comment on lines 69 to 72
## Manual Implementation (Browser-Only React with No Backend)

If you're not using the AugmentOS SDK, you can implement the authentication flow manually.
If you're building a webview app that runs entirely in the browser (e.g., React, Vue, etc.), you can securely verify the AugmentOS user token without any backend. This approach uses the [`jose`](https://github.com/panva/jose) library to verify the JWT against AugmentOS's public keys, stores the token in `localStorage`, and exposes the user ID to your app.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick:
The copy here might be a little confusing for developers, As A backend (the TPA server) is still required,
it's just that in the second scenario the TPA server is not the server that is serving the static HTML/JS files.

Rough ideas for copy that might better explain it for dev's :

  1. TPA server hosts & serves your Website.
  • i.e HTML/JS (this could be the outputs of a react/vue project after they've built it to generate static html/js/css files) in public folder in their TPA project and served by express server from @augmentos/sdk
  1. Website hosted separately from TPA server
  • TPA backend
  • Website hosted else where: i.e Cloudflare Pages, Netlify, Github pages

@OkGoDoIt OkGoDoIt merged commit e1f97cf into dev Jun 6, 2025
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isaiahb isaiahb isaiahb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OkGoDoIt @isaiahb