Skip to Content

Changes for page org.clazzes.login.oauth

Last modified by wolfgang_glas@iteg_at on 2017-10-13 09.40:35
From version 3.1
edited by wolfgang_glas@iteg_at
on 2017-05-31 07.46:14
Change comment: There is no comment for this version
To version 6.1
edited by wolfgang_glas@iteg_at
on 2017-10-13 09.40:35
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,9 +1,250 @@
1 1  The OAuth login module is a planned login facility providing access to third party OAuth-2.0 and OpenID/Connect Services.
2 2  
3 -For OpenID/Connect authorization providers we may also act as a resource provider, which validates ID tokens presented by external clients.
3 +The login service might also be configured to accept access tokens of issued to third parties by an authorization provider.
4 4  
5 -== {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings ==
5 += {{id name="org.clazzes.login.oauth-Configuration"/}}Configuration =
6 6  
7 +The org.clazzes.login.oauth HttpLoginService is configured by the standard OSGi configuration service using the properties mentioned below:
8 +
9 +(% class="relative-table" style="width: 100.0%;" %)
10 +|=(% style="width: 23.6864%;" %)(((
11 +Property
12 +)))|=(% style="width: 76.3136%;" %)(((
13 +Description
14 +)))
15 +|(% style="width: 23.6864%;" %)(((
16 +sessionCookie
17 +)))|(% style="width: 76.3136%;" %)(((
18 +The name of the cookie to set in user agents.
19 +)))
20 +|(% style="width: 23.6864%;" %)(((
21 +sessionTimeout
22 +)))|(% style="width: 76.3136%;" %)(((
23 +The timeout for cookie-based sessions in minutes. Sessions inactive for this time interval will be purged including all access/refresh/ID tokens requested from an OAuth/OpenID Provider.
24 +)))
25 +|(% style="width: 23.6864%;" %)(((
26 +secureCookie
27 +)))|(% style="width: 76.3136%;" %)(((
28 +The secure flag of the issued cookie. Set this value to true, if your are located behind an SSL-terminated ReverseProxy.
29 +)))
30 +|(% style="width: 23.6864%;" %)(((
31 +delegateDomain
32 +)))|(% style="width: 76.3136%;" %)(((
33 +The domain against which to check incoming bearer tokens. If not set, incoming bearer tokens will not be accepted by the OAuth HttpLoginService.
34 +)))
35 +|(% style="width: 23.6864%;" %)(((
36 +domain.<domain>.label
37 +)))|(% style="width: 76.3136%;" %)(((
38 +The mandatory human-readable label for the configured domain with identifier <domain>.
39 +)))
40 +|(% style="width: 23.6864%;" %)(((
41 +domain.<domain>.authorizationLocation
42 +)))|(% style="width: 76.3136%;" %)(((
43 +The OAuth2 authorization endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
44 +)))
45 +|(% style="width: 23.6864%;" %)(((
46 +domain.<domain>.tokenLocation
47 +)))|(% style="width: 76.3136%;" %)(((
48 +The OAuth2 token endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
49 +)))
50 +|(% style="width: 23.6864%;" %)(((
51 +domain.<domain>.userLocation
52 +)))|(% style="width: 76.3136%;" %)(((
53 +The optional OAuth2 userinfo endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
54 +)))
55 +|(% style="width: 23.6864%;" %)(((
56 +domain.<domain>.configurationLocation
57 +)))|(% style="width: 76.3136%;" %)(((
58 +The well-known OpenID Connect configuration location.
59 +)))
60 +|(% style="width: 23.6864%;" %)(((
61 +domain.<domain>.faviconLocation
62 +)))|(% style="width: 76.3136%;" %)(((
63 +The optional favicon location for domains, which do not have a {{code language="none"}}/favicon.ico{{/code}} resource on the root of their authorization web host.
64 +)))
65 +|(% style="width: 23.6864%;" %)(((
66 +domain.<domain>.clientId
67 +)))|(% style="width: 76.3136%;" %)(((
68 +The client ID of our application as registered at the OAuth Provider.
69 +)))
70 +|(% style="width: 23.6864%;" %)(((
71 +domain.<domain>.clientPassword
72 +)))|(% style="width: 76.3136%;" %)(((
73 +The password for the client ID of our application as registered at the OAuth Provider.
74 +)))
75 +|(% style="width: 23.6864%;" %)(((
76 +domain.<domain>.scope
77 +)))|(% style="width: 76.3136%;" %)(((
78 +The mandatory scope to pass to the authorization endpoint.
79 +)))
80 +|(% style="width: 23.6864%;" %)(((
81 +domain.<domain>.prompt
82 +)))|(% style="width: 76.3136%;" %)(((
83 +The optional prompt value to pass to the authorization endpoint.
84 +)))
85 +|(% style="width: 23.6864%;" %)(((
86 +domain.<domain>.responseType
87 +)))|(% style="width: 76.3136%;" %)(((
88 +The optional response type to pass to the authorization endpoint.
89 +)))
90 +|(% style="width: 23.6864%;" %)(((
91 +domain.<domain>.options
92 +)))|(% style="width: 76.3136%;" %)(((
93 +Comma-separated list of options from the set
94 +
95 +* {{code language="none"}}lenientAccessTokenCheck{{/code}} - Used to by pass at_hash checks in issued ID tokens, need e.g. for microsoft providers.
96 +* {{code language="none"}}propagateLocale{{/code}} - Used to propagate the locale of the login iframe to the OAuth provider as the {{code language="none"}}locale{{/code}} URL parameter.
97 +)))
98 +
99 += {{id name="org.clazzes.login.oauth-Examples"/}}Examples =
100 +
101 +== {{id name="org.clazzes.login.oauth-github.com"/}}github.com ==
102 +
103 +Github implements OAuth2 and is not a full-features OpenID Connect provider.
104 +
105 +|=(((
106 +Property
107 +)))|=(((
108 +Value
109 +)))
110 +|(((
111 +domain.GITHUB.authorizationLocation
112 +)))|(((
113 +(% class="nolink" %)http:~/~/github.com/login/oauth/authorize
114 +)))
115 +|(((
116 +domain.GITHUB.userLocation
117 +)))|(((
118 +(% class="nolink" %)https:~/~/api.github.com/user
119 +)))
120 +|(((
121 +domain.GITHUB.label
122 +)))|(((
123 +github.com
124 +)))
125 +|(((
126 +domain.GITHUB.clientId
127 +)))|(((
128 +Cleint ID a registered under 'Authorized OAuth Apps' [[https:~~/~~/github.com/settings/applications>>url:https://github.com/settings/applications||shape="rect"]]\\
129 +)))
130 +|(((
131 +domain.GITHUB.clientPassword
132 +)))|(((
133 +Password of the above mentioned client ID.\\
134 +)))
135 +|(((
136 +domain.GITHUB.tokenLocation
137 +)))|(((
138 +(% class="nolink" %)https:~/~/github.com/login/oauth/access_token
139 +)))
140 +|(((
141 +domain.GITHUB.scope
142 +)))|(((
143 +user
144 +)))
145 +
146 +== {{id name="org.clazzes.login.oauth-google.com"/}}google.com ==
147 +
148 +Google implements a clean OpenID Connect provider with no hazzles.
149 +
150 +|=(((
151 +Property
152 +)))|=(((
153 +Value
154 +)))
155 +|(((
156 +domain.GOOGLE.clientId
157 +)))|(((
158 +Client ID as registered under [[https:~~/~~/console.developers.google.com/apis/credentials>>url:https://console.developers.google.com/apis/credentials||shape="rect"]]\\
159 +)))
160 +|(((
161 +domain.GOOGLE.clientPassword
162 +)))|(((
163 +Password of the above mentioned client ID.
164 +)))
165 +|(((
166 +domain.GOOGLE.configurationLocation
167 +)))|(((
168 +(% class="nolink" %)https:~/~/accounts.google.com/.well-known/openid-configuration
169 +)))
170 +|(((
171 +domain.GOOGLE.label
172 +)))|(((
173 +google.com
174 +)))
175 +|(((
176 +domain.GOOGLE.scope
177 +)))|(((
178 +openid profile email
179 +)))
180 +|(((
181 +domain.GOOGLE.accessType
182 +)))|(((
183 +offline
184 +)))
185 +|(((
186 +domain.GOOGLE.prompt
187 +)))|(((
188 +consent
189 +)))
190 +
191 +== {{id name="org.clazzes.login.oauth-microsoftonline.com"/}}microsoftonline.com ==
192 +
193 +Microsoft implements OpenID connect, but leaves out the {{code language="none"}}at_hash{{/code}} claim in ID tokens.
194 +
195 +|=(((
196 +Property
197 +)))|=(((
198 +Value
199 +)))
200 +|(((
201 +domain.MICROSOFT.clientId
202 +)))|(((
203 +(% class="nolink" %)https:~/~/apps.dev.microsoft.com/#/appList(%%)\\
204 +)))
205 +|(((
206 +domain.MICROSOFT.clientPassword
207 +)))|(((
208 +Password of the above mentioned client ID.
209 +)))
210 +|(((
211 +domain.MICROSOFT.configurationLocation
212 +)))|(((
213 +(% class="nolink" %)https:~/~/login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
214 +)))
215 +|(((
216 +domain.MICROSOFT.label
217 +)))|(((
218 +microsoft.com
219 +)))
220 +|(((
221 +domain.MICROSOFT.scope
222 +)))|(((
223 +openid profile User.Read offline_access
224 +)))
225 +|(((
226 +domain.MICROSOFT.responseType
227 +)))|(((
228 +token id_token
229 +)))
230 +|(((
231 +domain.MICROSOFT.options
232 +)))|(((
233 +lenientAccessTokenCheck
234 +)))
235 +|(((
236 +domain.MICROSOFT.prompt
237 +)))|(((
238 +consent
239 +)))
240 +|(((
241 +domain.MICROSOFT.faviconLocation
242 +)))|(((
243 +(% class="nolink" %)https:~/~/www.microsoft.com/favicon.ico
244 +)))
245 +
246 += {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings =
247 +
7 7  OpenID 1.0 Specification: [[http:~~/~~/openid.net/specs/openid-connect-core-1_0.html>>url:http://openid.net/specs/openid-connect-core-1_0.html||shape="rect"]]
8 8  
9 9  Microsoft's implementation notes: [[https:~~/~~/docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens>>url:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens||shape="rect"]]
... ... @@ -18,7 +18,7 @@
18 18  
19 19  IANA registry of JSON Web Token Claims: [[https:~~/~~/www.iana.org/assignments/jwt/jwt.xhtml>>url:https://www.iana.org/assignments/jwt/jwt.xhtml||shape="rect"]]
20 20  
21 -== {{id name="org.clazzes.login.oauth-RFCs"/}}RFCs ==
262 += {{id name="org.clazzes.login.oauth-RFCs"/}}RFCs =
22 22  
23 23  RFC 7515, (% style="color: rgb(0,0,0);" %)JSON Web Signature (JWS), [[https:~~/~~/tools.ietf.org/html/rfc7515>>url:https://tools.ietf.org/html/rfc7515||shape="rect"]]
24 24  
Confluence.Code.ConfluencePageClass[0]
Id
... ... @@ -1,1 +1,1 @@
1 -688788
1 +688652
URL
... ... @@ -1,1 +1,1 @@
1 -https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688788/org.clazzes.login.oauth
1 +https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688652/org.clazzes.login.oauth