Still under construction ... more details coming soon ...
OAuth 2.0 Consumer for Apache Shindig
Adam Clarke, Eric Woods, Jeff Hoy, Li Xu and Matthew Marum are implementing support for an OAuth 2.0 Service Consumer in Apache Shindig. This article provides an overview of the implementation including high level design, supported flows, common How-Tos, and future considerations.
The OAuth 2.0 specification is here: http://tools.ietf.org/html/draft-ietf-oauth-v2-21
For more information on the related (but still separate) OAuth 2.0 Service Provider Implementation in Apache Shindig click here
Also being tracked at https://issues.apache.org/jira/browse/SHINDIG-1624
Overview
- The OAuth 2.0 Consumer proposal is the combination of a small number of changes to the gadget spec and gadgets.io.makeRequest() API to allow gadgets running in an OpenSocial container to make proxied HttpRequests to service providers protected by OAuth 2.0.
- The Shindig 3.0.0. Java Reference Implementation is an OAuth 2.0-v21 spec compliant server side implementation that supports Authorization Code (3-legged) and Client Credentials (2-legged) flows.
- It has been tested against Google API, Facebook API and the Shindig Provider developed by Matt and Eric with the "Bearer" Token Type.
- The reference implementation can be extended (via Guice binding injections) to support additional Client Authentication requirements, Grant Types, Token Types, Authorization Responses and Token Responses.
- The default OAuth2Request and OAuth2Store implementations offer other plugin points required for production-ready OAuth 2.0 deployments. Persistence, Caching and Secret Encryptpion.
Spec Considerations
Currently a gadget declares it's intent to use gadgets.io.makeRequest() to access external resources protected by OAuth 1.with an <OAuth> Service declaration
<!-- Existing OAuth 1.0 definition --> <ModulePrefs title="Demo 3-legged OAuth to Shindig"> <OAuth> <Service name="shindig"> <Request url="http://localhost:8080/oauth/requestToken" /> <Authorization url="http://localhost:8080/oauth/authorize?oauth_callback=http://localhost:8080/gadgets/oauthcallback" /> <Access url="http://localhost:8080/oauth/accessToken" /> </Service> </OAuth> <Require feature="oauthpopup" /> </ModulePrefs>
Because OAuth 1 and 2 are incompatible and some of the terminology has changed a new OAuth 2 Service declaration has been proposed here and is the basis of the implementation in Shindig.
<!-- Proposed new OAuth 2.0 definition --> <ModulePrefs title="OAuth2 Demo Gadget -- Authorization Code"> <OAuth2> <!-- name and scope are optional --> <Service name="shindig" scope="defaultGadgetScope" > <!-- authorization and token endpoint urls are optional --> <Authorization url="http://localhost:8080/oauth2/authorize" /> <Token url="http://localhost:8080/oauth2/token" /> </OAuth2> <Require feature="oauthpopup" /> </ModulePrefs>
<Authorization> and <Token> urls are optional in the gadget spec. If they are not explicitly defined in the gadget spec they must be bound on the server. OAuth 2.0 gadget-to-endpoint binding is left up to the server implementation.
After a gadget has declared it's intent to access OAuth 2.0 protected resources with the <OAuth2> service declaration it can use gadgets.io.makeRequest() in a manner almost identical to OAuth 1.0. This assumes that the Authorization and Token endpoints have been bound correctly on the server and correct OAuth 2.0 clients are registered.
function fetchData() { url = "http://localhost:8080/social/rest/people/@me/@friends/"; var params = {}; params[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.TEXT; params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.OAUTH2; params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.GET; params[gadgets.io.RequestParameters.OAUTH_SERVICE_NAME] = "shindig"; params[gadgets.io.RequestParameters.OAUTH_SCOPE] = "requestScopeOverridesGadgetDefault"; params[gadgets.io.RequestParameters.REFRESH_INTERVAL] = "0"; gadgets.io.makeRequest(url, function (response) { if (response.oauthApprovalUrl) { var onOpen = function() { showOneSection('waiting'); }; var onClose = function() { fetchData(); }; var popup = new gadgets.oauth.Popup(response.oauthApprovalUrl, null, onOpen, onClose); $('personalize').onclick = popup.createOpenerOnClick(); $('approvaldone').onclick = popup.createApprovedOnClick(); showOneSection('approval'); } else if (response.data) { $('main').appendChild(document.createTextNode(response.data)); showOneSection('main'); } else { var whoops = document.createTextNode( 'OAuth error: ' + response.oauthError + ': ' + response.oauthErrorText); $('main').appendChild(whoops); showOneSection('main'); } }, params); }
The AuthorizationType.OAUTH2 and RequestParameters.OAUTH_SCOPE are additions for OAuth 2.0 support and need to be proposed.
Running the Demo Gadgets
You will need Google and Facebook accounts and registered applications for these steps....
http://code.google.com/apis/accounts/docs/OAuth2.html
http://developers.facebook.com/docs/authentication/
The redirect_uris for your applications must match the oauth2callback servlet in your shindig environment.
For instance : http://localhost:8080/gadgets/oauth2callback
- Extract the Shindig trunk from https://svn.apache.org/repos/asf/shindig/
- Apply the patch from https://reviews.apache.org/r/1947/diff/raw
- Edit config/oauth2.json - replace the client_id and client_secret placeholders in the "googleApi_client1" and "facebook_client1" clients with the applications you created. Make sure to keep your OAuth 2.0 secrets secret.
- Build and deploy the shindig WAR.
- Run the common container and add the "OAuth2 Demo with Google Provider" or "OAuth2 Demo with Facebook Provider".
- Click the "Personalize this gadget" link to initiate the OAuth 2.0 Authorization Code (3-legged) flow which will redirect you to the service provider (Google or Fa.cebook) for authorization
- Enter your credentials for the service provider, don't worry they are safe and never leave Googe/Facebook.
- The service provider will return an authorization code and subsequently access_token to shindig and the gadget's makeRequest() call will pull your Contacts/Friends.
- When you are done you can disable your access_token on the service provider site.
Using Google and Facebook and having Google/Facebook accounts and applications is not necessary. The OAuth 2.0 Consumer should work against any v20 or v21 spec compliant service provider. It will require writing your gadget and registering it's client in config/oauth2.json
You can also use the Shindig OAuth 2.0 Provider (currently under review) that has been submitted to shindig. The Consumer contains two sample gadgets that demonstrate the integrated capabilities.
- Extract the Shindig trunk from https://svn.apache.org/repos/asf/shindig/
- Apply the patch from https://reviews.apache.org/r/1947/diff/raw
- Apply the patch from https://reviews.apache.org/r/1940/diff/raw
- Run the common container and add the "OAuth2 Demo with Shindig Provider (Authorization Code)" or "OAuth2 Demo with Shindig Provider (Client Credentials)
- Client Credentials does not cause a redirect