You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by timniblett <ti...@cilogi.com> on 2012/10/09 00:49:31 UTC
OAuth demo
I've extended the user management demo at http://gaeshiro.appspot.com
<http://gaeshiro.appspot.com> to include OAuth authorization with Google
and Facebook. Adding other OAuth sites would be simple. The site contains
a pointer to the Github code.
For consumer-facing sites its attractive to provide "social" logins as users
don't have to think of, and register, yet another password. I haven't been
able to get it to work (for Google at least) in the same way as Shiro. In
particular if your browser is logged in you don't have to enter a password,
and its hard to re-authenticate (no password is required). I'm not sure if
I'm missing something or if OAuth is not really meant for authentication.
I tried the Buji Oauth <https://github.com/bujiio/buji-oauth> library
but, and I'm open to correction, what I want to do would have taken more
code than my thin layer on top of the scribe
<https://github.com/fernandezpablo85/scribe-java> library, which I also
had to work around.
If anyone has a better idea of how to use OAuth for authentication I'd be
grateful for some pointers.
Tim
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by timniblett <ti...@cilogi.com>.
Jérôme
I think its worth publishing to the forum if we actually came up with some
useful information. Otherwise not. This is not a discussion I'd find useful
until some conclusion is reached.
I'm attaching (a) my pom.xml and (b) the output from Maven. I moved my
~/.m2 file (I'm on windows) and then ran the mvn jetty:run task. Once you
use Maven, if everything doesn't work just right there is trouble.
As you can see it didn't work. Its complaining of a checksum failure. As
I said I did take time to get it to work, but I haven't looked into the
details.
I didn't see a Google2Provider at the time -- it would be _much_ easier if
all the code was in one place and not in 3 separate libraries from my point
of view! The demo didn't have one, so I assumed it didn't exist. This is
pretty important to me from a practical point. I'm just-about prepared to
take a single library and make fixes as needed (but I have to have the
source in my debugger of course) but three is too much work.
When I looked at your scribe-up-shiro-demo from the .ini it looked as if
the OAuthRealm takes aprovider, so I'd need a lot of realms to deal with a
lot of providers. Perhaps that's OK, but I decided to take my own route at
that point. I did load buji-oauth from Github but it wasn't obvious how to
adapt it, _and_ I was having trouble with Maven.
---
You ask what I want. The demo does this at the moment. The client posts a
login request to a login servlet
(com.cilogi.shiro.web.oauth.OAuthLoginServlet). This works out the token
type (from a parameter) and sends to the code-providing url for that
provider. ON redirect we pick up the provider type and send the code off
to get a token. I have abstracted (for Google and Facebook) the JSON ->
Info as OAuthInfo.
With the token verified I get the email from the OAuthInfo, create a new
user if needed, and then login.
You say that the user registration bit is specific to me, but almost
everyone will need to register the user one way or another.
Anyway, its just not clear to me how to get from your demo to what I want
-- an explicit login, followed by registration (of email) and
authentication.
Here's a for-instance. The user tries to access a URL. The spec in my
shiro.ini example is
/settings.ftl = authc
This must be accessed by anyone who is authenticated. Not just facebook
users. The demo sends you to a login page which
posts to the servlet I mentioned, which authenticates and then redirects to
the requested URL.
It wasn't clear (to me) from your demo how to do this as you were sending
each provider to a separate page.
You have my code. There is a package com.cilogi.shiro.oauth, and
com.cilogi.oauth.provider. If I can use Buji to remove the need for this
code
(perhaps with an override of your OAuth realm for my database stuff) that
would be great.
I'll quite understand if you don't want to get involved further, but the
ball's in your court. If you can explain, either in text or code how to do
this that
would be great.
Tim
On 11 October 2012 09:56, jleleu [via Shiro User] <
ml-node+s582556n7577858h66@n2.nabble.com> wrote:
> Hi Tim,
>
> I prefer to keep public answers which can help others.
>
> About you Maven issues, it's really strange : the sonatype snapshots
> repository is defined in the parent pom (oss-parent) and the dependencies
> you added are already defined in scribe-up project.
>
> For Google, you're right, you have to define the end-point, but you can do
> that in buji-oauth by using the Google2Provider and setting its scope to :
> EMAIL (PROFILE and EMAIL_AND_PROFILE are also possible).
>
> I'm in line with having a common profile to ease work with multiple
> providers. To check and add users into database, it's somehow really
> specific to your environement. But, you can customize the Realm as usually
> for Shiro projects. In this case, it's the OAuthRealm on which you can
> override the doGetAuthenticationInfo or doGetAuthorizationInfo methods
> according to your needs.
>
> About nonce, I integrated a pull request to add the use of the state
> parameter in Facebook case.
>
> About showing you how to duplicate current functionnaly with less code,
> it's exactly the objective of the demo :
> https://github.com/leleuj/scribe-up-shiro-demo. Showing to everybody how
> to use buji-oauth.
> Less code is easy as you re-develop most of what is already in buji-oauth,
> but more configuration is also required.
> I'll send you a private email for this.
>
> In buji-oauth, you already have the following providers : Facebook, Google
> (OAuth 1.0 & 2.0), Twitter, DropBox, LinkedIn, Yahoo, Windows Live,
> WordPress and GitHub with very complete profiles (just not only the email).
> It's too bad not to leverage your work on this.
>
> Best regards,
> Jérôme
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577858.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=dGltLm5pYmxldHRAY2lsb2dpLmNvbXw1ODI1NTZ8MTMwMDYyMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
out.txt (80K) <http://shiro-user.582556.n2.nabble.com/attachment/7577859/0/out.txt>
pom.xml (4K) <http://shiro-user.582556.n2.nabble.com/attachment/7577859/1/pom.xml>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577859.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi Tim,
The 1.1.0 version of buji-oauth has just been released.
I don't want to bother you with that, but did you take a look at it ? I'd
like to get your feedbacks on this new version.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7578226.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi Tim,
I didn't get any news from you lately.
As buji-oauth 1.0.0 has been released, I started working on buji-oauth 1.1.0
to add some of the improvments you suggested.
1. You found that the documentation could be improved : I refreshed it and
gathered all usefull information on the home page :
https://github.com/bujiio/buji-oauth
2. You said it would be easier to have a common profile : all profiles now
share a CommonProfile interface :
http://javadoc.leleuj.cloudbees.net/scribe-up/1.3.0-SNAPSHOT/index.html
3. You found the configuration with buji-oauth too verbose : you can now
gather all providers in one ProvidersDefinition and just have one realm and
filter for all. Take a look at the demo :
https://github.com/leleuj/buji-oauth-demo to see how the configuration is
limited now.
I hope you will appreciate all these improvments.
Do you mind giving it a new try ?
Thanks.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577961.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by timniblett <ti...@cilogi.com>.
Jérôme
Thanks. I'm doing something else at the moment, but I will get back to
this. I'll try Maven 3 to see if the checksum thing goes away for
scribe-up, although it might be better for whoever is responsible for it to
reload & recheck as I strongly suspect that's the problem.
Tim
On 12 October 2012 11:30, jleleu [via Shiro User] <
ml-node+s582556n7577864h52@n2.nabble.com> wrote:
> Hi Tim,
>
> For the source, buji-oauth will be released very soon and sources &
> javadocs will be generated at this moment. For now, you can use source
> available in github of course.
>
> The urls generated by the getAuhtorizationUrl method of the provider are
> the urls to request authorization of an application to an OAuth provider.
> On these urls, the login page will be displayed to authenticate the user
> and then the permissions page.
>
> Best regards,
> Jérôme
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577864.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=dGltLm5pYmxldHRAY2lsb2dpLmNvbXw1ODI1NTZ8MTMwMDYyMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577865.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi Tim,
For the source, buji-oauth will be released very soon and sources & javadocs
will be generated at this moment. For now, you can use source available in
github of course.
The urls generated by the getAuhtorizationUrl method of the provider are the
urls to request authorization of an application to an OAuth provider. On
these urls, the login page will be displayed to authenticate the user and
then the permissions page.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577864.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by timniblett <ti...@cilogi.com>.
Jérôme
Thanks. Yes, the signature is odd. I'll see if Maven 3 does something,
but it seems very unlikely as signatures are normally fine. I have the
libraries now, but its definitely an issue. Source is also needed,
otherwise its very hard to see what is going on.
I think I see what you're saying, although I'm not quite clear about step
5. What happens when I go these URLs?
Tim
On 11 October 2012 20:13, jleleu [via Shiro User] <
ml-node+s582556n7577862h90@n2.nabble.com> wrote:
> Hi,
>
> OK. I see the checksum error. This is the cause of all your problems. It's
> very strange. Hard to say what's going wrong here. Did you try with maven 3
> (after cleaning your repo from buji-oauth) ?
>
> You're right, the Google2Provider is missing in demo because I already
> have 8 other providers, I thought it was enough. There are 3 libraries
> because scribe-up is also used for the CAS project and a Spring security
> library for OAuth.
>
>
> 1. You need to define the providers (coming from the scribe-up project) :
> in your case, Facebook and Google in the shiro.ini file :
>
> *facebookProvider = org.scribe.up.provider.impl.FacebookProvider
> facebookProvider.key = your_key
> facebookProvider.secret = your_secret
> facebookProvider.callbackUrl = http://localhost:8080/shiro-facebook
> facebookProvider.scope = email # to request just email permission
> facebookProvider.fields = id,email # just to get the FB identifier and the
> email
>
> googleProvider = org.scribe.up.provider.impl.Google2Provider
> googleProvider.key = your_key
> googleProvider.secret = your_secret
> googleProvider.callbackUrl = http://localhost:8080/shiro-google
> googleProvider.scope = EMAIL # because you just want to get the email
> *
> It means you will have two urls (/shiro-facebook and /shiro-google) to
> validate the FB and Google OAuth authentication.
>
>
> 2. You need to define the OAuth realms : one realm for each provider
> because I assume you can have different roles and permissions granted
> according to your provider (in the shiro.ini file) :
>
> *facebookRealm = com.you.ExtendedOAuthRealm
> facebookRealm.provider = $facebookProvider
>
> googleRealm = com.you.ExtendedOAuthRealm
> googleRealm.provider = $googleProvider
> *
> This ExtendedOAuthRealm deals with your custom logic and extends the
> io.buji.oauth.OAuthRealm.
>
>
> 3. You need to define the filters which will handle the end of the OAuth
> authentication process in your web app for both providers (in the shiro.ini
> file). A filter creates an AuthenticationToken handled by the appropriate
> OAuthRealm.
>
> *facebookFilter = io.buji.oauth.OAuthFilter
> facebookFilter.provider = $facebookProvider
> facebookFilter.failureUrl = /error.jsp # the error page if the OAuth
> authentication fails
>
> googleFilter= io.buji.oauth.OAuthFilter
> googleFilter.provider = $googleProvider
> googleFilter.failureUrl = /error.jsp # the error page if the OAuth
> authentication fails*
>
>
> 4. You DON'T need to define other OAuth filters to protect your
> application and redirect the user to the OAuth provider for authentication.
> The filters in the io.buji.oauth.filters are not necessary for you.
>
>
> 5. On your login page, I understand that your user choose on which
> provider to authenticate. You can do that by generating the authorization
> url to redirect the user to the OAuth provider for authentication :
> *<a href="<%=facebookProvider.getAuthorizationUrl(null)%>">Authenticate
> at Facebook
> <a href="<%=googleProvider.getAuthorizationUrl(null)%>">Authenticate at
> Google*
>
>
> 6. Your security configuration would be :
> *[urls]
> /shiro-facebook = facebookFilter
> /shiro-google = googleFilter
> /login.jsp = authc
> /settings.ftl = authc
> /listUsers.ftl = authc
> /logout = socialLogout*
>
>
> 7. You need an extended OAuth realm with your custom logic : you want to
> check if the user is in database and load the roles. I don't know what you
> use as a principal, but with buji-oauth, it will be the "typed id",
> something like FacebookProfile#1234 or GoogleProfile#1234.
> So I think you can simply create the ExtendedOAuthRealm by extending the
> io.buji.oauth.OAuthRealm and putting your doGetAuthorizationInfo method in
> it if you can use this typed id as a key to match data coming from OAuth
> providers and your internal data.
>
> The second principal filled by the OAuthRealm (doGetAuthenticationInfo
> method) in buji-oauth is the user profile.
> So you can access some property on profile if you want to use it as
> username :
> if (profile instanceof FacebookProfile) {
> FacebookProfile fp = (Facebookprofile) profile;
> email = fp.getEmail();
> } else if (profile instanceof Google2Profile) {
> Google2Profile gp = (Google2Profile) profile;
> email = gp.getEmail();
> }
> A common profile here would simplify work. I plan it for scribe-up 1.3.0.
>
>
> I didn't test anything so there might be some adjustments to do.
> Hope it's clear enough for you to try to switch to buji-oauth.
>
> Best regards,
> Jérôme
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577862.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=dGltLm5pYmxldHRAY2lsb2dpLmNvbXw1ODI1NTZ8MTMwMDYyMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577863.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi,
OK. I see the checksum error. This is the cause of all your problems. It's
very strange. Hard to say what's going wrong here. Did you try with maven 3
(after cleaning your repo from buji-oauth) ?
You're right, the Google2Provider is missing in demo because I already have
8 other providers, I thought it was enough. There are 3 libraries because
scribe-up is also used for the CAS project and a Spring security library for
OAuth.
1. You need to define the providers (coming from the scribe-up project) : in
your case, Facebook and Google in the shiro.ini file :
/facebookProvider = org.scribe.up.provider.impl.FacebookProvider
facebookProvider.key = your_key
facebookProvider.secret = your_secret
facebookProvider.callbackUrl = http://localhost:8080/shiro-facebook
facebookProvider.scope = email # to request just email permission
facebookProvider.fields = id,email # just to get the FB identifier and the
email
googleProvider = org.scribe.up.provider.impl.Google2Provider
googleProvider.key = your_key
googleProvider.secret = your_secret
googleProvider.callbackUrl = http://localhost:8080/shiro-google
googleProvider.scope = EMAIL # because you just want to get the email
/
It means you will have two urls (/shiro-facebook and /shiro-google) to
validate the FB and Google OAuth authentication.
2. You need to define the OAuth realms : one realm for each provider because
I assume you can have different roles and permissions granted according to
your provider (in the shiro.ini file) :
/facebookRealm = com.you.ExtendedOAuthRealm
facebookRealm.provider = $facebookProvider
googleRealm = com.you.ExtendedOAuthRealm
googleRealm.provider = $googleProvider
/
This ExtendedOAuthRealm deals with your custom logic and extends the
io.buji.oauth.OAuthRealm.
3. You need to define the filters which will handle the end of the OAuth
authentication process in your web app for both providers (in the shiro.ini
file). A filter creates an AuthenticationToken handled by the appropriate
OAuthRealm.
/facebookFilter = io.buji.oauth.OAuthFilter
facebookFilter.provider = $facebookProvider
facebookFilter.failureUrl = /error.jsp # the error page if the OAuth
authentication fails
googleFilter= io.buji.oauth.OAuthFilter
googleFilter.provider = $googleProvider
googleFilter.failureUrl = /error.jsp # the error page if the OAuth
authentication fails/
4. You DON'T need to define other OAuth filters to protect your application
and redirect the user to the OAuth provider for authentication. The filters
in the io.buji.oauth.filters are not necessary for you.
5. On your login page, I understand that your user choose on which provider
to authenticate. You can do that by generating the authorization url to
redirect the user to the OAuth provider for authentication :
/<a
href="<%=facebookProvider.getAuthorizationUrl(null)%>">Authenticate
at Facebook
<a href="<%=googleProvider.getAuthorizationUrl(null)%>">Authenticate
at Google /
6. Your security configuration would be :
/[urls]
/shiro-facebook = facebookFilter
/shiro-google = googleFilter
/login.jsp = authc
/settings.ftl = authc
/listUsers.ftl = authc
/logout = socialLogout/
7. You need an extended OAuth realm with your custom logic : you want to
check if the user is in database and load the roles. I don't know what you
use as a principal, but with buji-oauth, it will be the "typed id",
something like FacebookProfile#1234 or GoogleProfile#1234.
So I think you can simply create the ExtendedOAuthRealm by extending the
io.buji.oauth.OAuthRealm and putting your doGetAuthorizationInfo method in
it if you can use this typed id as a key to match data coming from OAuth
providers and your internal data.
The second principal filled by the OAuthRealm (doGetAuthenticationInfo
method) in buji-oauth is the user profile.
So you can access some property on profile if you want to use it as username
:
if (profile instanceof FacebookProfile) {
FacebookProfile fp = (Facebookprofile) profile;
email = fp.getEmail();
} else if (profile instanceof Google2Profile) {
Google2Profile gp = (Google2Profile) profile;
email = gp.getEmail();
}
A common profile here would simplify work. I plan it for scribe-up 1.3.0.
I didn't test anything so there might be some adjustments to do.
Hope it's clear enough for you to try to switch to buji-oauth.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577862.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by timniblett <ti...@cilogi.com>.
Jérôme
I probably wasn't very clear in my last mail. Not yet enough coffee in the
system.
A problem I saw with your demo, which offhand I couldn't see a way round,
(and of course I may be wrong) is that IF a user tries to access a
protected page when not authorised, THEN I want a page to pop up which lets
her choose the provider. My demo does this with a standard login page.
Yours seemed to jump to whichever provider was protecting that page.
Again, I may well have got it wrong, but it was a decision made in good
faith at the time.
Tim
On 11 October 2012 09:56, jleleu [via Shiro User] <
ml-node+s582556n7577858h66@n2.nabble.com> wrote:
> Hi Tim,
>
> I prefer to keep public answers which can help others.
>
> About you Maven issues, it's really strange : the sonatype snapshots
> repository is defined in the parent pom (oss-parent) and the dependencies
> you added are already defined in scribe-up project.
>
> For Google, you're right, you have to define the end-point, but you can do
> that in buji-oauth by using the Google2Provider and setting its scope to :
> EMAIL (PROFILE and EMAIL_AND_PROFILE are also possible).
>
> I'm in line with having a common profile to ease work with multiple
> providers. To check and add users into database, it's somehow really
> specific to your environement. But, you can customize the Realm as usually
> for Shiro projects. In this case, it's the OAuthRealm on which you can
> override the doGetAuthenticationInfo or doGetAuthorizationInfo methods
> according to your needs.
>
> About nonce, I integrated a pull request to add the use of the state
> parameter in Facebook case.
>
> About showing you how to duplicate current functionnaly with less code,
> it's exactly the objective of the demo :
> https://github.com/leleuj/scribe-up-shiro-demo. Showing to everybody how
> to use buji-oauth.
> Less code is easy as you re-develop most of what is already in buji-oauth,
> but more configuration is also required.
> I'll send you a private email for this.
>
> In buji-oauth, you already have the following providers : Facebook, Google
> (OAuth 1.0 & 2.0), Twitter, DropBox, LinkedIn, Yahoo, Windows Live,
> WordPress and GitHub with very complete profiles (just not only the email).
> It's too bad not to leverage your work on this.
>
> Best regards,
> Jérôme
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577858.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=dGltLm5pYmxldHRAY2lsb2dpLmNvbXw1ODI1NTZ8MTMwMDYyMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577861.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi Tim,
I prefer to keep public answers which can help others.
About you Maven issues, it's really strange : the sonatype snapshots
repository is defined in the parent pom (oss-parent) and the dependencies
you added are already defined in scribe-up project.
For Google, you're right, you have to define the end-point, but you can do
that in buji-oauth by using the Google2Provider and setting its scope to :
EMAIL (PROFILE and EMAIL_AND_PROFILE are also possible).
I'm in line with having a common profile to ease work with multiple
providers. To check and add users into database, it's somehow really
specific to your environement. But, you can customize the Realm as usually
for Shiro projects. In this case, it's the OAuthRealm on which you can
override the doGetAuthenticationInfo or doGetAuthorizationInfo methods
according to your needs.
About nonce, I integrated a pull request to add the use of the state
parameter in Facebook case.
About showing you how to duplicate current functionnaly with less code, it's
exactly the objective of the demo :
https://github.com/leleuj/scribe-up-shiro-demo. Showing to everybody how to
use buji-oauth.
Less code is easy as you re-develop most of what is already in buji-oauth,
but more configuration is also required.
I'll send you a private email for this.
In buji-oauth, you already have the following providers : Facebook, Google
(OAuth 1.0 & 2.0), Twitter, DropBox, LinkedIn, Yahoo, Windows Live,
WordPress and GitHub with very complete profiles (just not only the email).
It's too bad not to leverage your work on this.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577858.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by timniblett <ti...@cilogi.com>.
Hi Jérôme,
I'm sorry you think its very negative feedback. I'm not trying to upset
you. I'm just saying what I did.
I'm on maven 2.2.1 (just lazy). Maven is /very/ stateful, so unless you've
moved your .m2 directory the results are not worth much. Here is my diff on
the pom
diff --git a/pom.xml b/pom.xml
index b1de4ff..02f918b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,6 +6,15 @@
<packaging>war</packaging>
<name>scribeupshirodemo</name>
<description>scribeupshirodemo</description>
+ <repositories>
+ <repository>
+ <id>sonatype-snapshots.oss.sonatype.org</id>
+ <name>Sonatype snapshots</name>
+
<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
+ <layout>default</layout>
+ </repository>
+ </repositories>
+
<dependencies>
<dependency>
<groupId>io.buji</groupId>
@@ -22,6 +31,22 @@
<artifactId>jcl-over-slf4j</artifactId>
<version>1.6.4</version>
</dependency>
+ <dependency>
+ <groupId>org.scribe</groupId>
+ <artifactId>scribe</artifactId>
+ <version>1.3.2</version>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-core-asl</artifactId>
+ <version>1.9.9</version>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-mapper-asl</artifactId>
+ <version>1.9.9</version>
+ </dependency>
+
</dependencies>
<build>
<finalName>${project.artifactId}</finalName>
I just kept going until it worked...
My point about the Email was that for Google you need to use a different
end-point
<https://developers.google.com/accounts/docs/OAuth2Login#scopeparameter>
(I don't want the full profile, only the Email, or as little in addition to
the Email that I can).
My issue with the multiple providers is that (a) I need to parse each one
anyway, which is the bulk of the work, and (b) each time someone authorises
I have to do some database work (checking and adding users). It wasn't at
the time clear how much work this would be and I /knew/ that it was a couple
of hours the other way. Pragmatism.
If you want to discuss more, better to do privately
(tim.niblett@cilogi.com).
My code is available to you in the Github repo. For the rasons above
(stateful maven) I'm not 100% sure it will run out of the box. A
constructive approach (work for you though) would be to show me how I can
duplicate current functionality with less code. Then I'll use buji!
BTW there are a couple of other issues with which I had trouble (with
scribe). The most serious was that I can't use nonce as the code stands,
which is a security worry. Nothing to do with buji, but I do have plans for
fixing the issue at some point...
Sorry again for any upset.
Tim
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577857.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi,
It's a very negative feedback, I think really not deserved.
I just re-test the demo and it works just fine from the first try :
/ git clone git@github.com:leleuj/scribe-up-shiro-demo.git
cd scribe-up-shiro-demo/
mvn clean install jetty:run
/
Here is my desktop information :
/Apache Maven 3.0.4 (r1232337; 2012-01-17 09:44:56+0100)
Maven home: j:\Developpement\java\apache-maven-3.0.4
Java version: 1.6.0_22, vendor: Sun Microsystems Inc.
Java home: c:\Program Files (x86)\Java\jdk1.6.0_22\jre
Default locale: fr_FR, platform encoding: Cp1252
OS name: "windows vista", version: "6.0", arch: "x86", family: "windows"
/
The email is available on Facebook profile : you can see that by checking
the methods of the FacebookProfile (it's also described in the "Description
of providers and profiles" link on the home page of the buji-oauth project
or in Javadoc in scribe-up home page project).
The Google OAuth 2.0 provider exists : you can see that by searching
provider classes (*Provider) or again in the "Description of providers and
profiles" link on the home page of the buji-oauth project.
You're right, sources are not available for buji-oauth in Maven repository
but only for scribe-up :
https://oss.sonatype.org/content/repositories/snapshots/org/scribe/scribe-up/1.2.0-SNAPSHOT/.
About using many providers, that's exactly what the demo does : if you look
at the shiro.ini file, you see how to configure many providers. If you just
want to configure one, use the "First step is to setup the configuration for
your OAuth provider." link on the home page of the buji-oauth project. I'm
not sure to understand your problem about logout.
I'm really sad and sorry you lost some much time trying to use buji-oauth.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577856.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by timniblett <ti...@cilogi.com>.
Jérôme
I certainly don't want to upset you. Here's what happened, if its any help.
I did get your demo up and working, although I had to hack the dependencies
a bit (I forget how I'm afraid, but something was missing). So this took
half an hour or so.
It didn't have everything I needed out of the box (what does?). I'd decided
to _only_ get the email from profiles (not available by default on facebook,
and different endpoint on Google) so it was immediately obvious I'd have
work to do, as the scribe library doesn't do this by default (and it doesn't
do OAuth 2 for Google which I wanted).
I was put off at this point by 2 things. First, there were three layers on
top of scribe (scribe-up, buji, demo) which would be hard to debug unless I
got the sources -- not available at a lick from Maven. Second, I want to be
able to authorise with several providers at once, again this wasn't obvious
to me, and I'd have to do an unquantifiable amount of work to see if it was
easy. Third, I wanted some way to logout, and this was not immediately
obvious. Finally, I've anyway got to do a lot of work to decode the profiles
I get back, and I wasn't sure how that would be organised.
I ended up writing 200 or so lines of interface code to Shiro
(com.cilogi.shiro.oauth) which includes the necessary fixes to scribe plus
the code I'd anyway have to write to decode the JSON. I judged this to be a
lot less work for me. As a rule of thumb its a lot faster writing your own
code, rather than writing round someone else's.
Most of my time was probably spend on the JSON and working out how to get
Google and Facebook to do what I wanted.
I'm sure that if you were sitting at the desk next to me it would have
different, but then you'd have been doing more work!
Tim
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577855.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi,
I tried to explain that even if authentication happens in OAuth protocol,
it's not the target, the main objective is to allow an application to access
authorized user data.
And the main advantage I see in buji-oauth is the fact that you get a
profile for the authorized user. But you're right, there is no common
profile, it's a lack.
I'm open to suggestion, improvment and opinion : this common profile is a
good idea. The buji-oauth library is based on scribe-up :
https://github.com/leleuj/scribe-up. I'm going to release soon the 1.2.0
version, but I'll put that in my roadmap for 1.3.0.
About the implementation effort, I'm almost upset ;-) I thought it was
simple to use the buji-oauth library : define a provider, define a filter,
define a realm and define the security of the application :
https://github.com/bujiio/buji-oauth/wiki/configuration.
What did you expect to be easier ?
Thanks,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577854.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by timniblett <ti...@cilogi.com>.
Jérôme
Thanks very much for the reply.
I agree that OAuth is for authorization. Its like the old song, "If you
can't be with the one you love, love the one you're with". So, for easy
login that people will use this seems to be the only game in town at the
moment. From what I've seen OAuth 2 /is/ being sold as an
identity/authentication solution.
I'm not quite sure what you're saying about accessing data about the user.
I've chosen to only access the Email, but could access other data. The
issue here for me is that each provider returns data in a different format.
So, a useful function of a library would be to provide a uniform API to the
data returned (as far as possible). Is this something you do?
Given that I'm interested only in identity I ask: "what should the best
practices be and what's the simplest way to implement them?". It would be
helpful to have a library available that lets me hook into Shiro for OAuth.
My sample could lead to that with: (a) some interface classes to Shiro and
(b) a login servlet and logout filter. I'd be much happier using someone
else's code though! I'd be happy to use yours if the implementation effort
is less.
The other issue, which I'm still unclear about, is how secure is OAuth in
practice compared to username/password? It looks pretty insecure to me, but
I'm not at all well informed in this area.
Tim
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577853.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: OAuth demo
Posted by jleleu <le...@gmail.com>.
Hi,
As the creator of the buji-oauth library, I completely understand your
argument and the path you followed.
However, OAuth is about authorization (more than authentication) : it gives
you acess to something about the authorized user : post tweets, read
facebook profile...
I myself think that just delegating authentication through OAuth protocol is
not a real use case, you always want *at least* to know who is connected, to
get its user profile, and this is done by the buji-oauth library.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577852.html
Sent from the Shiro User mailing list archive at Nabble.com.