Skip to Content

Changes for page org.clazzes.login.oauth

Last modified by wolfgang_glas@iteg_at on 2017-10-13 09.40:35
From version 6.1
edited by wolfgang_glas@iteg_at
on 2017-10-13 09.40:35
Change comment: There is no comment for this version
To version 1.1
edited by wolfgang_glas@iteg_at
on 2017-05-02 10.53:16
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,272 +1,11 @@
1 1  The OAuth login module is a planned login facility providing access to third party OAuth-2.0 and OpenID/Connect Services.
2 2  
3 -The login service might also be configured to accept access tokens of issued to third parties by an authorization provider.
3 +For OpenID/Connect authorization providers we may also act as a resource provider, which validates ID tokens presented by external clients.
4 4  
5 -= {{id name="org.clazzes.login.oauth-Configuration"/}}Configuration =
5 +== {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings ==
6 6  
7 -The org.clazzes.login.oauth HttpLoginService is configured by the standard OSGi configuration service using the properties mentioned below:
8 -
9 -(% class="relative-table" style="width: 100.0%;" %)
10 -|=(% style="width: 23.6864%;" %)(((
11 -Property
12 -)))|=(% style="width: 76.3136%;" %)(((
13 -Description
14 -)))
15 -|(% style="width: 23.6864%;" %)(((
16 -sessionCookie
17 -)))|(% style="width: 76.3136%;" %)(((
18 -The name of the cookie to set in user agents.
19 -)))
20 -|(% style="width: 23.6864%;" %)(((
21 -sessionTimeout
22 -)))|(% style="width: 76.3136%;" %)(((
23 -The timeout for cookie-based sessions in minutes. Sessions inactive for this time interval will be purged including all access/refresh/ID tokens requested from an OAuth/OpenID Provider.
24 -)))
25 -|(% style="width: 23.6864%;" %)(((
26 -secureCookie
27 -)))|(% style="width: 76.3136%;" %)(((
28 -The secure flag of the issued cookie. Set this value to true, if your are located behind an SSL-terminated ReverseProxy.
29 -)))
30 -|(% style="width: 23.6864%;" %)(((
31 -delegateDomain
32 -)))|(% style="width: 76.3136%;" %)(((
33 -The domain against which to check incoming bearer tokens. If not set, incoming bearer tokens will not be accepted by the OAuth HttpLoginService.
34 -)))
35 -|(% style="width: 23.6864%;" %)(((
36 -domain.<domain>.label
37 -)))|(% style="width: 76.3136%;" %)(((
38 -The mandatory human-readable label for the configured domain with identifier <domain>.
39 -)))
40 -|(% style="width: 23.6864%;" %)(((
41 -domain.<domain>.authorizationLocation
42 -)))|(% style="width: 76.3136%;" %)(((
43 -The OAuth2 authorization endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
44 -)))
45 -|(% style="width: 23.6864%;" %)(((
46 -domain.<domain>.tokenLocation
47 -)))|(% style="width: 76.3136%;" %)(((
48 -The OAuth2 token endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
49 -)))
50 -|(% style="width: 23.6864%;" %)(((
51 -domain.<domain>.userLocation
52 -)))|(% style="width: 76.3136%;" %)(((
53 -The optional OAuth2 userinfo endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation
54 -)))
55 -|(% style="width: 23.6864%;" %)(((
56 -domain.<domain>.configurationLocation
57 -)))|(% style="width: 76.3136%;" %)(((
58 -The well-known OpenID Connect configuration location.
59 -)))
60 -|(% style="width: 23.6864%;" %)(((
61 -domain.<domain>.faviconLocation
62 -)))|(% style="width: 76.3136%;" %)(((
63 -The optional favicon location for domains, which do not have a {{code language="none"}}/favicon.ico{{/code}} resource on the root of their authorization web host.
64 -)))
65 -|(% style="width: 23.6864%;" %)(((
66 -domain.<domain>.clientId
67 -)))|(% style="width: 76.3136%;" %)(((
68 -The client ID of our application as registered at the OAuth Provider.
69 -)))
70 -|(% style="width: 23.6864%;" %)(((
71 -domain.<domain>.clientPassword
72 -)))|(% style="width: 76.3136%;" %)(((
73 -The password for the client ID of our application as registered at the OAuth Provider.
74 -)))
75 -|(% style="width: 23.6864%;" %)(((
76 -domain.<domain>.scope
77 -)))|(% style="width: 76.3136%;" %)(((
78 -The mandatory scope to pass to the authorization endpoint.
79 -)))
80 -|(% style="width: 23.6864%;" %)(((
81 -domain.<domain>.prompt
82 -)))|(% style="width: 76.3136%;" %)(((
83 -The optional prompt value to pass to the authorization endpoint.
84 -)))
85 -|(% style="width: 23.6864%;" %)(((
86 -domain.<domain>.responseType
87 -)))|(% style="width: 76.3136%;" %)(((
88 -The optional response type to pass to the authorization endpoint.
89 -)))
90 -|(% style="width: 23.6864%;" %)(((
91 -domain.<domain>.options
92 -)))|(% style="width: 76.3136%;" %)(((
93 -Comma-separated list of options from the set
94 -
95 -* {{code language="none"}}lenientAccessTokenCheck{{/code}} - Used to by pass at_hash checks in issued ID tokens, need e.g. for microsoft providers.
96 -* {{code language="none"}}propagateLocale{{/code}} - Used to propagate the locale of the login iframe to the OAuth provider as the {{code language="none"}}locale{{/code}} URL parameter.
97 -)))
98 -
99 -= {{id name="org.clazzes.login.oauth-Examples"/}}Examples =
100 -
101 -== {{id name="org.clazzes.login.oauth-github.com"/}}github.com ==
102 -
103 -Github implements OAuth2 and is not a full-features OpenID Connect provider.
104 -
105 -|=(((
106 -Property
107 -)))|=(((
108 -Value
109 -)))
110 -|(((
111 -domain.GITHUB.authorizationLocation
112 -)))|(((
113 -(% class="nolink" %)http:~/~/github.com/login/oauth/authorize
114 -)))
115 -|(((
116 -domain.GITHUB.userLocation
117 -)))|(((
118 -(% class="nolink" %)https:~/~/api.github.com/user
119 -)))
120 -|(((
121 -domain.GITHUB.label
122 -)))|(((
123 -github.com
124 -)))
125 -|(((
126 -domain.GITHUB.clientId
127 -)))|(((
128 -Cleint ID a registered under 'Authorized OAuth Apps' [[https:~~/~~/github.com/settings/applications>>url:https://github.com/settings/applications||shape="rect"]]\\
129 -)))
130 -|(((
131 -domain.GITHUB.clientPassword
132 -)))|(((
133 -Password of the above mentioned client ID.\\
134 -)))
135 -|(((
136 -domain.GITHUB.tokenLocation
137 -)))|(((
138 -(% class="nolink" %)https:~/~/github.com/login/oauth/access_token
139 -)))
140 -|(((
141 -domain.GITHUB.scope
142 -)))|(((
143 -user
144 -)))
145 -
146 -== {{id name="org.clazzes.login.oauth-google.com"/}}google.com ==
147 -
148 -Google implements a clean OpenID Connect provider with no hazzles.
149 -
150 -|=(((
151 -Property
152 -)))|=(((
153 -Value
154 -)))
155 -|(((
156 -domain.GOOGLE.clientId
157 -)))|(((
158 -Client ID as registered under [[https:~~/~~/console.developers.google.com/apis/credentials>>url:https://console.developers.google.com/apis/credentials||shape="rect"]]\\
159 -)))
160 -|(((
161 -domain.GOOGLE.clientPassword
162 -)))|(((
163 -Password of the above mentioned client ID.
164 -)))
165 -|(((
166 -domain.GOOGLE.configurationLocation
167 -)))|(((
168 -(% class="nolink" %)https:~/~/accounts.google.com/.well-known/openid-configuration
169 -)))
170 -|(((
171 -domain.GOOGLE.label
172 -)))|(((
173 -google.com
174 -)))
175 -|(((
176 -domain.GOOGLE.scope
177 -)))|(((
178 -openid profile email
179 -)))
180 -|(((
181 -domain.GOOGLE.accessType
182 -)))|(((
183 -offline
184 -)))
185 -|(((
186 -domain.GOOGLE.prompt
187 -)))|(((
188 -consent
189 -)))
190 -
191 -== {{id name="org.clazzes.login.oauth-microsoftonline.com"/}}microsoftonline.com ==
192 -
193 -Microsoft implements OpenID connect, but leaves out the {{code language="none"}}at_hash{{/code}} claim in ID tokens.
194 -
195 -|=(((
196 -Property
197 -)))|=(((
198 -Value
199 -)))
200 -|(((
201 -domain.MICROSOFT.clientId
202 -)))|(((
203 -(% class="nolink" %)https:~/~/apps.dev.microsoft.com/#/appList(%%)\\
204 -)))
205 -|(((
206 -domain.MICROSOFT.clientPassword
207 -)))|(((
208 -Password of the above mentioned client ID.
209 -)))
210 -|(((
211 -domain.MICROSOFT.configurationLocation
212 -)))|(((
213 -(% class="nolink" %)https:~/~/login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
214 -)))
215 -|(((
216 -domain.MICROSOFT.label
217 -)))|(((
218 -microsoft.com
219 -)))
220 -|(((
221 -domain.MICROSOFT.scope
222 -)))|(((
223 -openid profile User.Read offline_access
224 -)))
225 -|(((
226 -domain.MICROSOFT.responseType
227 -)))|(((
228 -token id_token
229 -)))
230 -|(((
231 -domain.MICROSOFT.options
232 -)))|(((
233 -lenientAccessTokenCheck
234 -)))
235 -|(((
236 -domain.MICROSOFT.prompt
237 -)))|(((
238 -consent
239 -)))
240 -|(((
241 -domain.MICROSOFT.faviconLocation
242 -)))|(((
243 -(% class="nolink" %)https:~/~/www.microsoft.com/favicon.ico
244 -)))
245 -
246 -= {{id name="org.clazzes.login.oauth-FurtherReadings"/}}Further Readings =
247 -
248 248  OpenID 1.0 Specification: [[http:~~/~~/openid.net/specs/openid-connect-core-1_0.html>>url:http://openid.net/specs/openid-connect-core-1_0.html||shape="rect"]]
249 249  
250 250  Microsoft's implementation notes: [[https:~~/~~/docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens>>url:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens||shape="rect"]]
251 251  
252 -Microsoft Online OpenID configuration: [[https:~~/~~/login.microsoftonline.com/common/.well-known/openid-configuration>>url:https://login.microsoftonline.com/common/.well-known/openid-configuration||shape="rect"]]
253 -
254 -Google's OpenID Connect implementation notes: [[https:~~/~~/developers.google.com/identity/protocols/OpenIDConnect>>url:https://developers.google.com/identity/protocols/OpenIDConnect||shape="rect"]]
255 -
256 -Google Accounts OpenID configuration: [[https:~~/~~/accounts.google.com/.well-known/openid-configuration>>url:https://accounts.google.com/.well-known/openid-configuration||shape="rect"]]
257 -
258 258  github OAuth Guide: [[https:~~/~~/developer.github.com/v3/oauth>>url:https://developer.github.com/v3/oauth||shape="rect"]]
259 -
260 -IANA registry of JSON Web Token Claims: [[https:~~/~~/www.iana.org/assignments/jwt/jwt.xhtml>>url:https://www.iana.org/assignments/jwt/jwt.xhtml||shape="rect"]]
261 -
262 -= {{id name="org.clazzes.login.oauth-RFCs"/}}RFCs =
263 -
264 -RFC 7515, (% style="color: rgb(0,0,0);" %)JSON Web Signature (JWS), [[https:~~/~~/tools.ietf.org/html/rfc7515>>url:https://tools.ietf.org/html/rfc7515||shape="rect"]]
265 -
266 -RFC 7516, (% style="color: rgb(0,0,0);" %)JSON Web Encryption (JWE), [[https:~~/~~/tools.ietf.org/html/rfc7516>>url:https://tools.ietf.org/html/rfc7516||shape="rect"]]
267 -
268 -RFC 7517, (% style="color: rgb(0,0,0);" %)JSON Web Key (JWK), [[https:~~/~~/tools.ietf.org/html/rfc7517>>url:https://tools.ietf.org/html/rfc7517||shape="rect"]]
269 -
270 -RFC 7518, JSON Web Algorithms (JWA), [[https:~~/~~/tools.ietf.org/html/rfc7518>>url:https://tools.ietf.org/html/rfc7518||shape="rect"]]
271 -
272 -RFC 7519, JSON Web Token (JWT), [[https:~~/~~/tools.ietf.org/html/rfc7519>>url:https://tools.ietf.org/html/rfc7519||shape="rect"]]
Confluence.Code.ConfluencePageClass[0]
Id
... ... @@ -1,1 +1,1 @@
1 -688652
1 +688804
URL
... ... @@ -1,1 +1,1 @@
1 -https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688652/org.clazzes.login.oauth
1 +https://clazzes.atlassian.net/wiki/spaces/LOGIN/pages/688804/org.clazzes.login.oauth