Changes for page org.clazzes.login.oauth
Last modified by wolfgang_glas@iteg_at on 2017-10-13 09.40:35
From version 5.1
edited by wolfgang_glas@iteg_at
on 2017-10-13 09.35:18
on 2017-10-13 09.35:18
Change comment:
There is no comment for this version
To version 2.1
edited by wolfgang_glas@iteg_at
on 2017-05-31 07.44:24
on 2017-05-31 07.44:24
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Objects (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -1,250 +1,9 @@ 1 1 The OAuth login module is a planned login facility providing access to third party OAuth-2.0 and OpenID/Connect Services. 2 2 3 - Theloginservice mightalsobeconfiguredtoacceptaccesstokensof issuedto thirdpartiesbyan authorizationprovider.3 +For OpenID/Connect authorization providers we may also act as a resource provider, which validates ID tokens presented by external clients. 4 4 5 -= {{id name="org.clazzes.login.oauth- Configuration"/}}Configuration =5 +== {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings == 6 6 7 -The org.clazzes.login.oauth HttpLoginService is configured by the standard OSGi configuration service using the properties mentioned below: 8 - 9 -(% class="relative-table" style="width: 100.0%;" %) 10 -|=(% style="width: 23.6864%;" %)((( 11 -Property 12 -)))|=(% style="width: 76.3136%;" %)((( 13 -Description 14 -))) 15 -|(% style="width: 23.6864%;" %)((( 16 -sessionCookie 17 -)))|(% style="width: 76.3136%;" %)((( 18 -The name of the cookie to set in user agents. 19 -))) 20 -|(% style="width: 23.6864%;" %)((( 21 -sessionTimeout 22 -)))|(% style="width: 76.3136%;" %)((( 23 -The timeout for cookie-based sessions in minutes. Sessions inactive for this time interval will be purged including all access/refresh/ID tokens requested from an OAuth/OpenID Provider. 24 -))) 25 -|(% style="width: 23.6864%;" %)((( 26 -secureCookie 27 -)))|(% style="width: 76.3136%;" %)((( 28 -The secure flag of the issued cookie. Set this value to true, if your are located behind an SSL-terminated ReverseProxy. 29 -))) 30 -|(% style="width: 23.6864%;" %)((( 31 -delegateDomain 32 -)))|(% style="width: 76.3136%;" %)((( 33 -The domain against which to check incoming bearer tokens. If not set, incoming bearer tokens will not be accepted by the OAuth HttpLoginService. 34 -))) 35 -|(% style="width: 23.6864%;" %)((( 36 -domain.<domain>.label 37 -)))|(% style="width: 76.3136%;" %)((( 38 -The mandatory human-readable label for the configured domain with identifier <domain>. 39 -))) 40 -|(% style="width: 23.6864%;" %)((( 41 -domain.<domain>.authorizationLocation 42 -)))|(% style="width: 76.3136%;" %)((( 43 -The OAuth2 authorization endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation 44 -))) 45 -|(% style="width: 23.6864%;" %)((( 46 -domain.<domain>.tokenLocation 47 -)))|(% style="width: 76.3136%;" %)((( 48 -The OAuth2 token endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation 49 -))) 50 -|(% style="width: 23.6864%;" %)((( 51 -domain.<domain>.userLocation 52 -)))|(% style="width: 76.3136%;" %)((( 53 -The optional OAuth2 userinfo endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation 54 -))) 55 -|(% style="width: 23.6864%;" %)((( 56 -domain.<domain>.configurationLocation 57 -)))|(% style="width: 76.3136%;" %)((( 58 -The well-known OpenID Connect configuration location. 59 -))) 60 -|(% style="width: 23.6864%;" %)((( 61 -domain.<domain>.faviconLocation 62 -)))|(% style="width: 76.3136%;" %)((( 63 -The optional favicon location for domain, which doe not have a /favicon.ico resource on the root of their authorization web host. 64 -))) 65 -|(% style="width: 23.6864%;" %)((( 66 -domain.<domain>.clientId 67 -)))|(% style="width: 76.3136%;" %)((( 68 -The client ID of our application as registered at the OAuth Provider. 69 -))) 70 -|(% style="width: 23.6864%;" %)((( 71 -domain.<domain>.clientPassword 72 -)))|(% style="width: 76.3136%;" %)((( 73 -The password for the client ID of our application as registered at the OAuth Provider. 74 -))) 75 -|(% style="width: 23.6864%;" %)((( 76 -domain.<domain>.scope 77 -)))|(% style="width: 76.3136%;" %)((( 78 -The mandatory scope to pass to the authorization endpoint. 79 -))) 80 -|(% style="width: 23.6864%;" %)((( 81 -domain.<domain>.prompt 82 -)))|(% style="width: 76.3136%;" %)((( 83 -The optional prompt value to pass to the authorization endpoint. 84 -))) 85 -|(% style="width: 23.6864%;" %)((( 86 -domain.<domain>.responseType 87 -)))|(% style="width: 76.3136%;" %)((( 88 -The optional response type to pass to the authorization endpoint. 89 -))) 90 -|(% style="width: 23.6864%;" %)((( 91 -domain.<domain>.options 92 -)))|(% style="width: 76.3136%;" %)((( 93 -Comma-separated list of options from the set 94 - 95 -* {{code language="none"}}lenientAccessTokenCheck{{/code}} - Used to by pass at_hash checks in issued ID tokens, need e.g. for microsoft providers. 96 -* {{code language="none"}}propagateLocale{{/code}} - Used to propagate the locale of the login iframe to the OAuth provider as the {{code language="none"}}locale{{/code}} URL parameter. 97 -))) 98 - 99 -= {{id name="org.clazzes.login.oauth-Examples"/}}Examples = 100 - 101 -== {{id name="org.clazzes.login.oauth-github.com"/}}github.com == 102 - 103 -Github implements OAuth2 and is not a full-features OpenID Connect provider. 104 - 105 -|=((( 106 -Property 107 -)))|=((( 108 -Value 109 -))) 110 -|((( 111 -domain.GITHUB.authorizationLocation 112 -)))|((( 113 -(% class="nolink" %)http:~/~/github.com/login/oauth/authorize 114 -))) 115 -|((( 116 -domain.GITHUB.userLocation 117 -)))|((( 118 -(% class="nolink" %)https:~/~/api.github.com/user 119 -))) 120 -|((( 121 -domain.GITHUB.label 122 -)))|((( 123 -github.com 124 -))) 125 -|((( 126 -domain.GITHUB.clientId 127 -)))|((( 128 -Cleint ID a registered under 'Authorized OAuth Apps' [[https:~~/~~/github.com/settings/applications>>url:https://github.com/settings/applications||shape="rect"]]\\ 129 -))) 130 -|((( 131 -domain.GITHUB.clientPassword 132 -)))|((( 133 -Password of the above mentioned client ID.\\ 134 -))) 135 -|((( 136 -domain.GITHUB.tokenLocation 137 -)))|((( 138 -(% class="nolink" %)https:~/~/github.com/login/oauth/access_token 139 -))) 140 -|((( 141 -domain.GITHUB.scope 142 -)))|((( 143 -user 144 -))) 145 - 146 -== {{id name="org.clazzes.login.oauth-google.com"/}}google.com == 147 - 148 -Google implements a clean OpenID Connect provider with no hazzles. 149 - 150 -|=((( 151 -Property 152 -)))|=((( 153 -Value 154 -))) 155 -|((( 156 -domain.GOOGLE.clientId 157 -)))|((( 158 -Client ID as registered under [[https:~~/~~/console.developers.google.com/apis/credentials>>url:https://console.developers.google.com/apis/credentials||shape="rect"]]\\ 159 -))) 160 -|((( 161 -domain.GOOGLE.clientPassword 162 -)))|((( 163 -Password of the above mentioned client ID. 164 -))) 165 -|((( 166 -domain.GOOGLE.configurationLocation 167 -)))|((( 168 -(% class="nolink" %)https:~/~/accounts.google.com/.well-known/openid-configuration 169 -))) 170 -|((( 171 -domain.GOOGLE.label 172 -)))|((( 173 -google.com 174 -))) 175 -|((( 176 -domain.GOOGLE.scope 177 -)))|((( 178 -openid profile email 179 -))) 180 -|((( 181 -domain.GOOGLE.accessType 182 -)))|((( 183 -offline 184 -))) 185 -|((( 186 -domain.GOOGLE.prompt 187 -)))|((( 188 -consent 189 -))) 190 - 191 -== {{id name="org.clazzes.login.oauth-microsoftonline.com"/}}microsoftonline.com == 192 - 193 -Microsoft implements OpenID connect, but leaves out the {{code language="none"}}at_hash{{/code}} claim in ID tokens. 194 - 195 -|=((( 196 -Property 197 -)))|=((( 198 -Value 199 -))) 200 -|((( 201 -domain.MICROSOFT.clientId 202 -)))|((( 203 -(% class="nolink" %)https:~/~/apps.dev.microsoft.com/#/appList(%%)\\ 204 -))) 205 -|((( 206 -domain.MICROSOFT.clientPassword 207 -)))|((( 208 -Password of the above mentioned client ID. 209 -))) 210 -|((( 211 -domain.MICROSOFT.configurationLocation 212 -)))|((( 213 -(% class="nolink" %)https:~/~/login.microsoftonline.com/common/v2.0/.well-known/openid-configuration 214 -))) 215 -|((( 216 -domain.MICROSOFT.label 217 -)))|((( 218 -microsoft.com 219 -))) 220 -|((( 221 -domain.MICROSOFT.scope 222 -)))|((( 223 -openid profile User.Read offline_access 224 -))) 225 -|((( 226 -domain.MICROSOFT.responseType 227 -)))|((( 228 -token id_token 229 -))) 230 -|((( 231 -domain.MICROSOFT.options 232 -)))|((( 233 -lenientAccessTokenCheck 234 -))) 235 -|((( 236 -domain.MICROSOFT.prompt 237 -)))|((( 238 -consent 239 -))) 240 -|((( 241 -domain.MICROSOFT.faviconLocation 242 -)))|((( 243 -(% class="nolink" %)https:~/~/www.microsoft.com/favicon.ico 244 -))) 245 - 246 -= {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings = 247 - 248 248 OpenID 1.0 Specification: [[http:~~/~~/openid.net/specs/openid-connect-core-1_0.html>>url:http://openid.net/specs/openid-connect-core-1_0.html||shape="rect"]] 249 249 250 250 Microsoft's implementation notes: [[https:~~/~~/docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens>>url:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens||shape="rect"]] ... ... @@ -259,7 +259,7 @@ 259 259 260 260 IANA registry of JSON Web Token Claims: [[https:~~/~~/www.iana.org/assignments/jwt/jwt.xhtml>>url:https://www.iana.org/assignments/jwt/jwt.xhtml||shape="rect"]] 261 261 262 -= {{id name="org.clazzes.login.oauth-RFCs"/}}RFCs = 21 +== {{id name="org.clazzes.login.oauth-RFCs"/}}RFCs == 263 263 264 264 RFC 7515, (% style="color: rgb(0,0,0);" %)JSON Web Signature (JWS), [[https:~~/~~/tools.ietf.org/html/rfc7515>>url:https://tools.ietf.org/html/rfc7515||shape="rect"]] 265 265 ... ... @@ -267,6 +267,10 @@ 267 267 268 268 RFC 7517, (% style="color: rgb(0,0,0);" %)JSON Web Key (JWK), [[https:~~/~~/tools.ietf.org/html/rfc7517>>url:https://tools.ietf.org/html/rfc7517||shape="rect"]] 269 269 29 +(% style="color: rgb(0,0,0);" %) 30 + 31 + 32 + 270 270 RFC 7518, JSON Web Algorithms (JWA), [[https:~~/~~/tools.ietf.org/html/rfc7518>>url:https://tools.ietf.org/html/rfc7518||shape="rect"]] 271 271 272 272 RFC 7519, JSON Web Token (JWT), [[https:~~/~~/tools.ietf.org/html/rfc7519>>url:https://tools.ietf.org/html/rfc7519||shape="rect"]]
- Confluence.Code.ConfluencePageClass[0]
-
- Id
-
... ... @@ -1,1 +1,1 @@ 1 -688 7921 +688806 - URL
-
... ... @@ -1,1 +1,1 @@ 1 -https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688 792/org.clazzes.login.oauth1 +https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688806/org.clazzes.login.oauth