Versions Compared

Old Version 18

changes.mady.by.user Eric Woods

Saved on

compared with

New Version 19

changes.mady.by.user Eric Woods

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Eric Woods and Matthew Marum are implementing support for OAuth 2.0 in Apache Shindig.  This article provides an overview of the implementation , including high level design, supported flows, common howHow-tosTos, descriptions of classes, and future considerations.

...

Note that the implementation is still evolving, so consider this design document to be a draft.

High Level Design

All OAuth 2.0 requests are received by the OAuth2Servlet.  Per the spec, there are two OAuth 2.0 related endpoints: /oauth/authorize and /oauth/token.  The request is quickly delegated to either the OAuth2AuthorizationHandler or the OAuth2Token handler accordingly.

The first thing either handler does is normalize the incoming OAuth 2.0 request using the OAuth2NormalizedRequest class.  This class is designed to receive the incoming HttpServletRequest and normalize all OAuth 2.0-related fields.  For example, a pre-registered client may authenticate using Basic Authentication or by including "client_secret" as a URL parameter.  These permutations make it difficult to process an incoming request consistently.  OAuth2NormalizedRequest will make the client secret accessible by getClientSecret() regardless of authentication method, thus "normalizing" the method that was used to authenticate, pass a token, specify a grant type, etc.

After normalization, the request is processed.  We have two distinct layers to process an OAuth request; OAuth2Service and OAuth2DataService.  The OAuth2Service handles all OAuth processing and enforcement as defined by the OAuth 2.0 specification.  For example, the OAuth2Service handles client authentication and request validation for an authorization code, access token, refresh token, or resource.  The OAuth2Service also handles generation of authorization codes, access tokens, and refresh tokens.

The second layer, OAuth2DataService, represents the data store to manage authorization codes, access tokens, refresh tokens, and association with a pre-registered client.  For example, the OAuth2DataService manages registering/unregistering the various OAuth 2.0 codes/tokens, retrieving a client by ID, and retrieving a code/token by value.

Supported Flows

How-Tos

How to Register a Client

...