Feature #7001
closed
develop OAuthAuthenticator
Added by Reynaud Sylvain over 10 years ago.
Updated over 10 years ago.
Description
This would enable use-cases where delegation of user permission is required:
- do not set @authorized
- function user() will return the user token. Use it to build the URL parameter of HTTPConnector.
Check:
- if redirection supports XPath syntax in URL
- if redirect URI must be registered
- Description updated (diff)
see: http://tutorials.jenkov.com/oauth2/authorization.html
Implementation:
Authorization code grant¶
request="lavoisier/view"
-> redirectException (302) to server URL with parameters in URL:
- response_type="code"
- client_id
- redirect_uri
next request is "lavoisier/view?code=xxx"
ResponsibilityHandler of OAuth2 says YES
use of Oltu API to get the access_token from the Authorization server
sets the access_token in the AuthenticatedUser
Implicit grant (less secure as the access_token is sent to the web browser through the URL)¶
request="lavoisier/view"
-> redirectException (302) to server URL with parameters in URL:
- response_type="token"
- client_id
- redirect_uri
next request is "lavoisier/view?access_token=xxx"
ResponsibilityHandler of OAuth2 says YES
if access_token is expired: RedirectException 302
otherwise sets the access_token in the AuthenticatedUser
The full path (operation + view +xpath +query + fragment) is sent in the "state" parameter when calling auth server. The redirect URI is always the URL od the redirect operation (this operation rebuilds the user request with elements found in the "state" parameter.
Advantages:
- no need for OAuth server to deal with redirect URL with query and xpath (for example google does not support this)
- the user has only 1 URI (the Lavoisier redirect URL) to register in its account for authorization
- Status changed from New to Resolved
- Target version changed from later to 2.1.1
implemented with the Authorization code grant
Also available in: Atom
PDF
Updated by 
Updated by