Search code examples
roauth-2.0oauthhttr

Log in a webpage which uses github OAuth

I want to log in https://adventofcode.com/2021 programatically using httr.

I have only a very superficial understanding of the OAuth "dance", so to understand the principles I did the following:

  1. Create an OAuth App on GitHub
  2. Used the following code to authenticate (N.B. I know I could simply use oauth2.0_token but I felt that this workflow helped me to better understand the different messages, which are exchanged).
library(httr)

client_id <- "<my client id>"
base_url <- "https://github.com"
path <- "login/oauth/authorize"
client_secret <- "<my secret>"

url <- modify_url(base_url, path = path, 
                  query = list(client_id = client_id, 
                               redirect_uri = oauth_callback()))
code <- oauth_listener(url) ## needed to provide credentials in the web browser
access_token <- POST(modify_url(base_url, path = "login/oauth/access_token"),
                     add_headers(Accept = "application/json"),
                     body = list(client_id = client_id,
                                 client_secret = client_secret,
                                 code = code$code))
## successfully returns the values
GET("https://api.github.com/rate_limit", 
    add_headers(Authorization = paste(content(access_token)$access_token,
                                      "OAUTH-TOKEN")))

From this example I think I understand the steps as highlighted in the documentation.

However, I fail to see how I could use this to login to https://adventofcode.com/2021. I have, of course, not the client_secret nor can I redirect the response to my localhost (as GitHub requires that the stored callback matches the redirect URI).

Thus, I was wondering how I could programatically login to https://adventofcode.com/2021 to fetch my task data, say?

Solution

  • I think you are mismatching OAuth2 roles. If you want to use adventofcode.com, you are a resource owner, adventofcode.com is a client and github is an authorization server. So you authenticate, adventofcode.com gets an auth code and then tokens. They can use the tokens to get information about your github account.

    The example code you posted is different - your application is a client that gets a code and tokens from the authorization server (github) after a user was authenticated and gave a consent to passing the tokens to your app (permission delegation). So you probably cannot include adventofcode.com into this scenario.

    The only way is if adventofcode.com takes a role of a resource server and their API accepts github tokens from different clients. But I know nothing about their API.