Project

General

Profile

Actions

Feature #7001

closed

develop OAuthAuthenticator

Added by Reynaud Sylvain over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Adaptors
Target version:
Start date:
04/25/2014
Due date:
% Done:

0%

Estimated time:

Description

This would enable use-cases where delegation of user permission is required:
  • do not set @authorized
  • function user() will return the user token. Use it to build the URL parameter of HTTPConnector.
Check:
  • if redirection supports XPath syntax in URL
  • if redirect URI must be registered
Actions #1

Updated by Reynaud Sylvain over 10 years ago

  • Description updated (diff)
Actions #2

Updated by Schwarz Lionel over 10 years ago

see: http://tutorials.jenkov.com/oauth2/authorization.html

Implementation:

Authorization code grant

request="lavoisier/view"
-> redirectException (302) to server URL with parameters in URL:
  • response_type="code"
  • client_id
  • redirect_uri

next request is "lavoisier/view?code=xxx"
ResponsibilityHandler of OAuth2 says YES
use of Oltu API to get the access_token from the Authorization server
sets the access_token in the AuthenticatedUser

Implicit grant (less secure as the access_token is sent to the web browser through the URL)

request="lavoisier/view"
-> redirectException (302) to server URL with parameters in URL:
  • response_type="token"
  • client_id
  • redirect_uri

next request is "lavoisier/view?access_token=xxx"
ResponsibilityHandler of OAuth2 says YES
if access_token is expired: RedirectException 302
otherwise sets the access_token in the AuthenticatedUser

Actions #3

Updated by Schwarz Lionel over 10 years ago

The full path (operation + view +xpath +query + fragment) is sent in the "state" parameter when calling auth server. The redirect URI is always the URL od the redirect operation (this operation rebuilds the user request with elements found in the "state" parameter.

Advantages:
- no need for OAuth server to deal with redirect URL with query and xpath (for example google does not support this)
- the user has only 1 URI (the Lavoisier redirect URL) to register in its account for authorization

Actions #4

Updated by Schwarz Lionel over 10 years ago

  • Status changed from New to Resolved
  • Target version changed from later to 2.1.1

implemented with the Authorization code grant

Actions

Also available in: Atom PDF