You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
P2G will use User Garmin credentials to get both an OAuth1 and OAuth2 token
P2G will save the OAuth1 and OAuth2 tokens encrypted at rest
OAuth1 token is expected to last 1year
OAuth2 token is expected to last 24hr
When the user changes their Garmin credentials, all saved tokens should be cleared
When the user toggles 2FA enabled, all saved tokens should be cleared
If OAuth2 token exists and is not expired, P2G will use this token for Garmin requests
If OAuth2 token is missing or expired, P2G will attempt to refresh with OAuth1 token
If OAuth1 token is missing or fails to refresh, then P2G will fall back to Garmin signin flow using user credentials
During SignIn, if MFA is needed, the user will be prompted
If Sync is enabled, the Sync service will wait until the user has completed MFA flow atleast once and an OAuth2 token has been stored
GUI's - user should be prompted to go through MFA flow when they enable Sync setting
Console - user should be prompted to go through MFA before starting background sync
Out of Scope:
Fully removing dependency on users credentials - while this would be nice to do so that P2G did not ever save email/password, its a large lift to do this right now and requires re-thinking much of the p2g onboarding flow as well as handling scenarios when credentials do need to be asked for if tokens are lost or expired
GitHub Action - GHA does not support anyway to get user input during runtime, nor does it support saving data to disk, meaning the existing console support for MFA will not work. And once OAuth tokens are obtained, they cannot be saved by P2G. In order to support MFA, I believe I'd need to create some kind of multi-step "initialization" workflows that allow the user to get their OAuth tokens and then manually save those as secrets to the repo.
The text was updated successfully, but these errors were encountered:
Reference for how to refresh auth token. Apparently, we do not use the Refresh Token, instead save the OAuth1Token (which lasts up to a year) and use that to re-exchange for OAuth2 whenever needed.
Now that we're using Garth pattern for authentication (#524) it seems possible to save a long lived access token. This opens a few possibilities:
Explore these options and see what is feasible.
Requirements:
Out of Scope:
The text was updated successfully, but these errors were encountered: