Feature #7001
closed
develop OAuthAuthenticator
0%
Description
- do not set @authorized
- function user() will return the user token. Use it to build the URL parameter of HTTPConnector.
- if redirection supports XPath syntax in URL
- if redirect URI must be registered
Updated by
Updated by Schwarz Lionel over 10 years ago
see: http://tutorials.jenkov.com/oauth2/authorization.html
Implementation:
Authorization code grant¶
request="lavoisier/view"-> redirectException (302) to server URL with parameters in URL:
- response_type="code"
- client_id
- redirect_uri
next request is "lavoisier/view?code=xxx"
ResponsibilityHandler of OAuth2 says YES
use of Oltu API to get the access_token from the Authorization server
sets the access_token in the AuthenticatedUser
Implicit grant (less secure as the access_token is sent to the web browser through the URL)¶
request="lavoisier/view"-> redirectException (302) to server URL with parameters in URL:
- response_type="token"
- client_id
- redirect_uri
next request is "lavoisier/view?access_token=xxx"
ResponsibilityHandler of OAuth2 says YES
if access_token is expired: RedirectException 302
otherwise sets the access_token in the AuthenticatedUser
Updated by Schwarz Lionel over 10 years ago
The full path (operation + view +xpath +query + fragment) is sent in the "state" parameter when calling auth server. The redirect URI is always the URL od the redirect operation (this operation rebuilds the user request with elements found in the "state" parameter.
Advantages:
- no need for OAuth server to deal with redirect URL with query and xpath (for example google does not support this)
- the user has only 1 URI (the Lavoisier redirect URL) to register in its account for authorization
Updated by Schwarz Lionel over 10 years ago
- Status changed from New to Resolved
- Target version changed from later to 2.1.1
implemented with the Authorization code grant