🤓 Introducing Oto, the man in the middle.

A story about OAuth 2, and a tool to use it on static, client-side apps.

Jun 7 · 3 min read

As a developer, I love to use APIs.
Moreover, I love to use others’ APIs, and integrate them in my apps.
Like getting stuffs from GitHub, LinkedIN, allowing my users to see their data in my tools.

Photo by David Sinclair on Unsplash

But I don’t want to ask my users their credentials for these services (and they wouldn’t probably give them!).
So, I have to use the OAuth 2 protocol.

OAuth 2 is a tool used by services to allow third-party apps’ developers (like me! I’m a third-party developer! Woot!) to access the services’ data of users, with their approval.

I will not describe OAuth 2 in depth, but here’s the big picture: when you create an app, you need to register it on the service you want to use the API.
They will give you two important things: a public access id, which is not secret and can be stored in your code ; and a private access key, which is, huh, secret, and can’t be shared.
When one of your user needs to use the API in your app, they will be redirected on a login page outside your site, on the original service (the login page of GitHub, for instance). The user log himself, and the service redirect him on your app, with a unique code.
Then, your app will contact the service, with the unique code, your public access id and your private access key. The service know that everything’s okay, and will respond you with a token, that you will use for any request to the API.

And that’s all. It sounds complicated, but it’s quite easy.

But there’s a small problem: OAuth 2 is not really designed to be used on client-side only apps, like PWA.
As I said, the private access key needs to stay private.

So… we need a server. But we don’t really want one, since we would like to have static apps.
That’s a tough one.

But what if I told you we can have a server… without a server?
We can use a serverless platform, like AWS Lambda: it’s basically a simple piece of code (a function), bound to an URL, that will be executed when the URL is touched. Simple as f*%.

And then, we can have a small piece of code that will know our private access key for OAuth 2, and will make the last step of the challenge.
Let me introduce you oto, the man in the middle, the little piece of code to run that.

Photo by chris panas on Unsplash

For now, it only supports GitHub, but I will add more services in the future.
You can run it locally, or simple use the serverless framework to deploy it on your AWS account.
And, last but not least, its able to handle multiple services and keys at once, simplifying your workflow!


BeCode: Learn to code, get a job !


Written by


Pierre-Antoine Delnatte, 33 ans, dev freelance hyperactif, professeur dans l'âme, maître du monde en dilettante, vieille à chats.



BeCode: Learn to code, get a job !

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade