Changes for page org.clazzes.login.oauth
Last modified by wolfgang_glas@iteg_at on 2017-10-13 09.40:35
From version 4.1
edited by wolfgang_glas@iteg_at
on 2017-10-13 09.25:09
on 2017-10-13 09.25:09
Change comment:
There is no comment for this version
To version 1.1
edited by wolfgang_glas@iteg_at
on 2017-05-02 10.53:16
on 2017-05-02 10.53:16
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Objects (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -1,216 +1,11 @@ 1 1 The OAuth login module is a planned login facility providing access to third party OAuth-2.0 and OpenID/Connect Services. 2 2 3 - Theloginservice mightalsobeconfiguredtoacceptaccesstokensof issuedto thirdpartiesbyan authorizationprovider.3 +For OpenID/Connect authorization providers we may also act as a resource provider, which validates ID tokens presented by external clients. 4 4 5 -= {{id name="org.clazzes.login.oauth- Configuration"/}}Configuration =5 +== {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings == 6 6 7 -The org.clazzes.login.oauth HttpLoginService is configured by the standard OSGi configuration service using the properties mentioned below: 8 - 9 -(% class="relative-table" style="width: 100.0%;" %) 10 -|=(% style="width: 23.6864%;" %)((( 11 -Property 12 -)))|=(% style="width: 76.3136%;" %)((( 13 -Description 14 -))) 15 -|(% style="width: 23.6864%;" %)((( 16 -sessionCookie 17 -)))|(% style="width: 76.3136%;" %)((( 18 -The name of the cookie to set in user agents. 19 -))) 20 -|(% style="width: 23.6864%;" %)((( 21 -sessionTimeout 22 -)))|(% style="width: 76.3136%;" %)((( 23 -The timeout for cookie-based sessions in minutes. Sessions inactive for this time interval will be purged including all access/refresh/ID tokens requested from an OAuth/OpenID Provider. 24 -))) 25 -|(% style="width: 23.6864%;" %)((( 26 -secureCookie 27 -)))|(% style="width: 76.3136%;" %)((( 28 -The secure flag of the issued cookie. Set this value to true, if your are located behind an SSL-terminated ReverseProxy. 29 -))) 30 -|(% style="width: 23.6864%;" %)((( 31 -domain.<domain>.label 32 -)))|(% style="width: 76.3136%;" %)((( 33 -The mandatory human-readable label for the configured domain with identifier <domain>. 34 -))) 35 -|(% style="width: 23.6864%;" %)((( 36 -domain.<domain>.authorizationLocation 37 -)))|(% style="width: 76.3136%;" %)((( 38 -The OAuth2 authorization endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation 39 -))) 40 -|(% style="width: 23.6864%;" %)((( 41 -domain.<domain>.tokenLocation 42 -)))|(% style="width: 76.3136%;" %)((( 43 -The OAuth2 token endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation 44 -))) 45 -|(% style="width: 23.6864%;" %)((( 46 -domain.<domain>.userLocation 47 -)))|(% style="width: 76.3136%;" %)((( 48 -The optional OAuth2 userinfo endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation 49 -))) 50 -|(% style="width: 23.6864%;" %)((( 51 -domain.<domain>.configurationLocation 52 -)))|(% style="width: 76.3136%;" %)((( 53 -The well-known OpenID Connect configuration location. 54 -))) 55 -|(% style="width: 23.6864%;" %)((( 56 -domain.<domain>.faviconLocation 57 -)))|(% style="width: 76.3136%;" %)((( 58 -The optional favicon location for domain, which doe not have a /favicon.ico resource on the root of their authorization web host. 59 -))) 60 -|(% style="width: 23.6864%;" %)((( 61 -domain.<domain>.clientId 62 -)))|(% style="width: 76.3136%;" %)((( 63 -The client ID of our application as registered at the OAuth Provider. 64 -))) 65 -|(% style="width: 23.6864%;" %)((( 66 -domain.<domain>.clientPassword 67 -)))|(% style="width: 76.3136%;" %)((( 68 -The password for the client ID of our application as registered at the OAuth Provider. 69 -))) 70 -|(% style="width: 23.6864%;" %)((( 71 -domain.<domain>.scope 72 -)))|(% style="width: 76.3136%;" %)((( 73 -The mandatory scope to pass to the authorization endpoint. 74 -))) 75 -|(% style="width: 23.6864%;" %)((( 76 -domain.<domain>.prompt 77 -)))|(% style="width: 76.3136%;" %)((( 78 -The optional prompt value to pass to the authorization endpoint. 79 -))) 80 -|(% style="width: 23.6864%;" %)((( 81 -domain.<domain>.responseType 82 -)))|(% style="width: 76.3136%;" %)((( 83 -The optional response type to pass to the authorization endpoint. 84 -))) 85 -|(% style="width: 23.6864%;" %)((( 86 -domain.<domain>.options 87 -)))|(% style="width: 76.3136%;" %)((( 88 -Comma-separated list of options from the set 89 - 90 -* {{code language="none"}}lenientAccessTokenCheck{{/code}} - Used to by pass at_hash checks in issued ID tokens, need e.g. for microsoft providers. 91 -* {{code language="none"}}propagateLocale{{/code}} - Used to propagate the locale of the login iframe to the OAuth provider as the {{code language="none"}}locale{{/code}} URL parameter. 92 -))) 93 - 94 -= {{id name="org.clazzes.login.oauth-Examples"/}}Examples = 95 - 96 -== {{id name="org.clazzes.login.oauth-github.com"/}}github.com == 97 - 98 -Github implements OAuth2 and is not a full-features OpenID Connect provider. 99 - 100 -|=((( 101 -Property 102 -)))|=((( 103 -Value 104 -))) 105 -|((( 106 -domain.GITHUB.authorizationLocation 107 -)))|((( 108 -(% class="nolink" %)http:~/~/github.com/login/oauth/authorize 109 -))) 110 -|((( 111 -domain.GITHUB.userLocation 112 -)))|((( 113 -(% class="nolink" %)https:~/~/api.github.com/user 114 -))) 115 -|((( 116 -domain.GITHUB.label 117 -)))|((( 118 -github.com 119 -))) 120 -|((( 121 -domain.GITHUB.clientId 122 -)))|((( 123 -Cleint ID a registered under 'Authorized OAuth Apps' [[https:~~/~~/github.com/settings/applications>>url:https://github.com/settings/applications||shape="rect"]]\\ 124 -))) 125 -|((( 126 -domain.GITHUB.clientPassword 127 -)))|((( 128 -Password of the above mentioned client ID.\\ 129 -))) 130 -|((( 131 -domain.GITHUB.tokenLocation 132 -)))|((( 133 -(% class="nolink" %)https:~/~/github.com/login/oauth/access_token 134 -))) 135 -|((( 136 -domain.GITHUB.scope 137 -)))|((( 138 -user 139 -))) 140 - 141 -\\ 142 - 143 -== {{id name="org.clazzes.login.oauth-google.com"/}}google.com == 144 - 145 -Google implements a clean OpenID Connect provider with no hazzles. 146 - 147 -|=((( 148 -Property 149 -)))|=((( 150 -Value 151 -))) 152 -|((( 153 -domain.GOOGLE.clientId 154 -)))|((( 155 -Client ID as registered under [[https:~~/~~/console.developers.google.com/apis/credentials>>url:https://console.developers.google.com/apis/credentials||shape="rect"]]\\ 156 -))) 157 -|((( 158 -domain.GOOGLE.clientPassword 159 -)))|((( 160 -\\ 161 -))) 162 -|((( 163 -domain.GOOGLE.configurationLocation 164 -)))|((( 165 -(% class="nolink" %)https:~/~/accounts.google.com/.well-known/openid-configuration 166 -))) 167 -|((( 168 -domain.GOOGLE.label 169 -)))|((( 170 -google.com 171 -))) 172 -|((( 173 -domain.GOOGLE.scope 174 -)))|((( 175 -openid profile email 176 -))) 177 -|((( 178 -domain.GOOGLE.accessType 179 -)))|((( 180 -offline 181 -))) 182 -|((( 183 -domain.GOOGLE.prompt 184 -)))|((( 185 -consent 186 -))) 187 - 188 -\\ 189 - 190 -= {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings = 191 - 192 192 OpenID 1.0 Specification: [[http:~~/~~/openid.net/specs/openid-connect-core-1_0.html>>url:http://openid.net/specs/openid-connect-core-1_0.html||shape="rect"]] 193 193 194 194 Microsoft's implementation notes: [[https:~~/~~/docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens>>url:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens||shape="rect"]] 195 195 196 -Microsoft Online OpenID configuration: [[https:~~/~~/login.microsoftonline.com/common/.well-known/openid-configuration>>url:https://login.microsoftonline.com/common/.well-known/openid-configuration||shape="rect"]] 197 - 198 -Google's OpenID Connect implementation notes: [[https:~~/~~/developers.google.com/identity/protocols/OpenIDConnect>>url:https://developers.google.com/identity/protocols/OpenIDConnect||shape="rect"]] 199 - 200 -Google Accounts OpenID configuration: [[https:~~/~~/accounts.google.com/.well-known/openid-configuration>>url:https://accounts.google.com/.well-known/openid-configuration||shape="rect"]] 201 - 202 202 github OAuth Guide: [[https:~~/~~/developer.github.com/v3/oauth>>url:https://developer.github.com/v3/oauth||shape="rect"]] 203 - 204 -IANA registry of JSON Web Token Claims: [[https:~~/~~/www.iana.org/assignments/jwt/jwt.xhtml>>url:https://www.iana.org/assignments/jwt/jwt.xhtml||shape="rect"]] 205 - 206 -= {{id name="org.clazzes.login.oauth-RFCs"/}}RFCs = 207 - 208 -RFC 7515, (% style="color: rgb(0,0,0);" %)JSON Web Signature (JWS), [[https:~~/~~/tools.ietf.org/html/rfc7515>>url:https://tools.ietf.org/html/rfc7515||shape="rect"]] 209 - 210 -RFC 7516, (% style="color: rgb(0,0,0);" %)JSON Web Encryption (JWE), [[https:~~/~~/tools.ietf.org/html/rfc7516>>url:https://tools.ietf.org/html/rfc7516||shape="rect"]] 211 - 212 -RFC 7517, (% style="color: rgb(0,0,0);" %)JSON Web Key (JWK), [[https:~~/~~/tools.ietf.org/html/rfc7517>>url:https://tools.ietf.org/html/rfc7517||shape="rect"]] 213 - 214 -RFC 7518, JSON Web Algorithms (JWA), [[https:~~/~~/tools.ietf.org/html/rfc7518>>url:https://tools.ietf.org/html/rfc7518||shape="rect"]] 215 - 216 -RFC 7519, JSON Web Token (JWT), [[https:~~/~~/tools.ietf.org/html/rfc7519>>url:https://tools.ietf.org/html/rfc7519||shape="rect"]]
- Confluence.Code.ConfluencePageClass[0]
-
- Id
-
... ... @@ -1,1 +1,1 @@ 1 -688 7891 +688804 - URL
-
... ... @@ -1,1 +1,1 @@ 1 -https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688 789/org.clazzes.login.oauth1 +https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688804/org.clazzes.login.oauth