How to implement token swapping with appwrite?

Is there any way to implement token swapping when using Appwrite? Say for example, a user authenticates using another service, the service provides an Auth token, and then I swap that token for an appwrite session token. This is useful if I want to use appwrite to manage user identity, and allow the user use another service, for example, one that enables authentication via biometrics.

It doesn't look like that's possible at the moment using the server sdk. Appwrite requires full Auth flow to create sessions. Any ideas.

TL;DR

The user wants to implement token swapping with Appwrite to allow authentication with a custom OAuth provider. They also want to use biometric authentication. However, Appwrite does not currently support OAuth2 or token swapping. The user suggests using a separate service like Okta or Auth0 that supports OAuth2 and biometric authentication. Another option is to use the Passage service by 1password. The user is looking for a way to create a user session without a password and manage user identity with Appwrite. They mention that the biometric authentication is meant to replace password-based authentication. They provide a detailed explanation of their desired flow for user registration and

Can anyone please help with this?

What kind of details do you receive from the custom service?

Using your example of biometrics - Do you ask for an email/password combo along with the biometric?

(Keep in mind I'm not well-versed with biometric auth as I've never used it) As you stated, as of now Appwrite is built in a way where the full auth flow needs to happen through it. Here's what I would do though:

Ask user for email and password, and use one of the many create user endpoints (normal email/password, email/bcrypt hashed pass, email/md5 hashed pass, etc.)
Run an Appwrite function that is triggered when a new account/user is crated, and create auser document in a collection to store that user's data.
Perform the biometric auth scan, which I assume will return some sort of data. Let's assume it outputs a JSON like so:

TypeScript

{
  user: "user@email.com",
  token: "cn8023492-ncncnc-1"    // i'm considering that this token is persistent, and won't change
}

Store this data inside of the document that was just created.

Ask user to input their email/password combo, and use the approporiate create session endpooint to authenticate them.
Once auth is successful, you will receive a User object (can be an Account object is you're not on Appwrite v1.3.x)
Use the userId inside of this User object to get that user's document, and run the biometric auth.
One the user finishes the biometric auth, compare the output of the biometric auth with the data you stored, and perform the appropriate action

The biometric is supposed to replace password based Auth. I have also not used it before, it's the first time, and it works this way.

The user enters their email, and then authenticate with biometrics. The device and biometric data is saved in another service, but the user identity is still managed with appwrite. Appwrite supports creation of users without password, so user creation will work. If the user is not already logged in, I'll request the user's email, and then their biometric data (using the external service). The user is created in appwrite if the email isn't attached to an existing account on appwrite), and the user's id is sent to the external service with biometric data to register that device with the biometric.

But for login, there are issues. One is that when a user is created without a password, password reset will be required when trying to login. But I want to use biometric Auth, and then default to email magic URL Auth if the device is new and the email is not.

If it's possible, using the server sdk to create user session without need for a password, then the flow will be possible.

I want to manage the user's identity using Appwrite, without a separate collection

Basically, what I need is a way to create user session server side without needing password, even if the user has password set, this will make it possible for the user to be able to sign in using their password, and their biometric, since I'll just have to collect their email and biometric data, send to the external service, retrieve a token from the service, swap it with one I created on the server with appwrite, and then send that to the client

Does that service support oauth2?

For example, I believe you can enable biometrics or some additional factors of authentication in okta. So, if you have okta oauth2 enabled, you could get the same result

The service is passage by 1password https://passage.1password.com/

I don't think they support oauth2

The service uses webauthn, so no oauth2

I too was thinking about oauth2, but it's no supported. The authentication is implemented by directly embedding a passage element on the site. Maybe I'm missing something

i wonder if you can use some oauth2 provider that supports webauthn/passkeys like okta or auth0

Actually, I'm building the project for their hackathon, so...

I wanted to build an adapter for appwrite with passage. Maybe I'll just focus on other parts which mostly revolve around handling permissions

But even if they actually support oauth2, appwrite has a limited set of supported oauth2 providers. Is there a way to make it work?

I mean is there a way to add custom oauth providers not supported by appwrite?

It's not too hard to add support for another provider.

In the future, we may have an OIDC provider that can support any OIDC provider

Okay

Reply to this thread by joining our Discord

Reply on Discord