[GSOC] OAuth Resource Owner Authorization implementation

[Łukasz Moreń <lu...@gmail.com>]

Hi,

I'm going to implement the second OAuth endpoint called: Resource Owner
Authorization.
I will explain briefly this endpoint to make my question more clear.

Client (third-party app) make request to mentioned endpoint in order to
obtain approval for accessing user (resource owner) resources.
example request uri:
https://www.server-with-cool-pictures.com/authorize?oauth_token=hh5s93j4hdidpola

As the response authorization server:
1. requests user (resource owner) to sign in using his username and
password,
2. if successful ask user to approve granting client (third-party app)
access to protected resources.
3. redirect resource owner to client's callback url with unique verification
code (or display it in case callback url is not provided)

I am not sure how should this endpoint implementation looks like. It
requires UI to authenticate user and confirm third-party app access, so
some
generic solution is needed.
When client make request on Resource Owner Authorization URI with
oauth_token I can validate that request and redirect to UI login page.
I don't know how after user actions (login and client confirmation), go back
to my service and redirect to the client (third-party app) callback url with
generated validation code.

Any help on that?

Cheers,
Lukasz Moren

Re: [GSOC] OAuth Resource Owner Authorization implementation

[Łukasz Moreń <lu...@gmail.com>]

Hi,

Just wanted to drop short info my GSoC progress.
I am following yours hints and implementing next OAuth endpoints according
to spec.
I have started also doing demo CXF OAuth server implementation (I deploy it
on gae) that helps me in testing and
show how to use oauth module.
I hope to commit changes next week.

Cheers,
Lukasz

2010/6/22 Sergey Beryozkin <sb...@gmail.com>

> Hi
>
> On Mon, Jun 21, 2010 at 11:20 PM, Łukasz Moreń <lukasz.moren@gmail.com
> >wrote:
>
> > Hi,
> >
> > I'm going to implement the second OAuth endpoint called: Resource Owner
> > Authorization.
> > I will explain briefly this endpoint to make my question more clear.
> >
> > Client (third-party app) make request to mentioned endpoint in order to
> > obtain approval for accessing user (resource owner) resources.
> > example request uri:
> >
> >
> https://www.server-with-cool-pictures.com/authorize?oauth_token=hh5s93j4hdidpola
> >
> > As the response authorization server:
> > 1. requests user (resource owner) to sign in using his username and
> > password,
> > 2. if successful ask user to approve granting client (third-party app)
> > access to protected resources.
> > 3. redirect resource owner to client's callback url with unique
> > verification
> > code (or display it in case callback url is not provided)
> >
> > I am not sure how should this endpoint implementation looks like. It
> > requires UI to authenticate user and confirm third-party app access, so
> > some
> > generic solution is needed.
> > When client make request on Resource Owner Authorization URI with
> > oauth_token I can validate that request and redirect to UI login page.
> > I don't know how after user actions (login and client confirmation), go
> > back
> > to my service and redirect to the client (third-party app) callback url
> > with
> > generated validation code.
> >
> >
> The client starts from redirecting the end user to the Resource Owner
> Authorization (ROA) URI . So the endpoint is dealing with ROA URI is having
> an end user's agent (browser, the client code) awaiting. Now as you said
> the
> end user will need to be presented with a consumer/request token
> authorization form.
>
> This form will need to have a URI pointing back to the server, to yet
> another endpoint, the ROA Confirmation URI so that when the end user
> presses
> OK in his browser the server can get the confirmation. Once the server gets
> the confirmation it will just need to redirect the end user back to the
> consumer, using the callback URI the consumer provided earlier on, I've
> been
> using 303 in my own work but I was looking at the OAuth 2.0 recently and
> they use 302. You can set this status on the JAXRS Response, and Location
> header to the callback URI.
>
> Hope it helps, Sergey
>
>
>
>
> > Any help on that?
> >
> > Cheers,
> > Lukasz Moren
> >
>

Re: [GSOC] OAuth Resource Owner Authorization implementation

[Sergey Beryozkin <sb...@gmail.com>]

Hi

On Mon, Jun 21, 2010 at 11:20 PM, Łukasz Moreń <lu...@gmail.com>wrote:

> Hi,
>
> I'm going to implement the second OAuth endpoint called: Resource Owner
> Authorization.
> I will explain briefly this endpoint to make my question more clear.
>
> Client (third-party app) make request to mentioned endpoint in order to
> obtain approval for accessing user (resource owner) resources.
> example request uri:
>
> https://www.server-with-cool-pictures.com/authorize?oauth_token=hh5s93j4hdidpola
>
> As the response authorization server:
> 1. requests user (resource owner) to sign in using his username and
> password,
> 2. if successful ask user to approve granting client (third-party app)
> access to protected resources.
> 3. redirect resource owner to client's callback url with unique
> verification
> code (or display it in case callback url is not provided)
>
> I am not sure how should this endpoint implementation looks like. It
> requires UI to authenticate user and confirm third-party app access, so
> some
> generic solution is needed.
> When client make request on Resource Owner Authorization URI with
> oauth_token I can validate that request and redirect to UI login page.
> I don't know how after user actions (login and client confirmation), go
> back
> to my service and redirect to the client (third-party app) callback url
> with
> generated validation code.
>
>
The client starts from redirecting the end user to the Resource Owner
Authorization (ROA) URI . So the endpoint is dealing with ROA URI is having
an end user's agent (browser, the client code) awaiting. Now as you said the
end user will need to be presented with a consumer/request token
authorization form.

This form will need to have a URI pointing back to the server, to yet
another endpoint, the ROA Confirmation URI so that when the end user presses
OK in his browser the server can get the confirmation. Once the server gets
the confirmation it will just need to redirect the end user back to the
consumer, using the callback URI the consumer provided earlier on, I've been
using 303 in my own work but I was looking at the OAuth 2.0 recently and
they use 302. You can set this status on the JAXRS Response, and Location
header to the callback URI.

Hope it helps, Sergey




> Any help on that?
>
> Cheers,
> Lukasz Moren
>