-
Notifications
You must be signed in to change notification settings - Fork 168
Draft OAuth2 Documenation #3464
Changes from 2 commits
f806c64
6729796
d1e91ff
c2ae312
ac4d527
8a233a8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
====== | ||
OAuth2 | ||
====== | ||
|
||
What is it? | ||
----------- | ||
|
||
OAuth2 is summarized in `RFC 6749`_ as follows: | ||
|
||
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. | ||
|
||
Here is an overview of how the process works: | ||
|
||
:: | ||
|
||
+----------+ | ||
| Resource | | ||
| Owner | | ||
| | | ||
+----------+ | ||
^ | ||
| | ||
(B) | ||
+----|-----+ Client Identifier +---------------+ | ||
| -+----(A)-- & Redirection URI ---->| | | ||
| User- | | Authorization | | ||
| Agent -+----(B)-- User authenticates --->| Server | | ||
| | | | | ||
| -+----(C)-- Authorization Code ---<| | | ||
+-|----|---+ +---------------+ | ||
| | ^ v | ||
(A) (C) | | | ||
| | | | | ||
^ v | | | ||
+---------+ | | | ||
| |>---(D)-- Authorization Code ---------' | | ||
| Client | & Redirection URI | | ||
| | | | ||
| |<---(E)----- Access Token -------------------' | ||
+---------+ (w/ Optional Refresh Token) | ||
|
||
|
||
The OAuth2 App | ||
-------------- | ||
|
||
OAuth2 support is available in ownCloud via `an OAuth2 application`_ which is available from the ownCloud Marketplace. | ||
The app aims to: | ||
|
||
#. Connect ownCloud clients (both desktop and mobile) in a standardized and secure way. | ||
#. Make 3rd party software integrations easier by providing an unified authorization interface. | ||
|
||
Endpoints | ||
~~~~~~~~~ | ||
|
||
================= ======================================= | ||
Description URI | ||
================= ======================================= | ||
Authorization URL ``/index.php/apps/oauth2/authorize`` | ||
Access Token URL ``/index.php/apps/oauth2/api/v1/token`` | ||
================= ======================================= | ||
|
||
Protocol Flow | ||
~~~~~~~~~~~~~ | ||
|
||
Client Registration | ||
^^^^^^^^^^^^^^^^^^^^ | ||
|
||
The clients first have to be registered in the admin settings: ``/settings/admin?sectionid=authentication``. | ||
You need to specify a name for the client (the name is unrelated to the OAuth 2.0 protocol and is just used to recognize it later) and the redirection URI. | ||
A client identifier and client secret are generated when adding a new client, which both consist of 64 characters. | ||
For further information about client registration, please refer to `the official client registration RFC from the IETF`_. | ||
|
||
Authorization Request | ||
^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
For every registered client an authorization request can be made. | ||
The client redirects the resource owner to the authorization URL and requests authorization. | ||
The following URL parameters have to be specified: | ||
|
||
================= ========== ======================================================================================== | ||
Parameter Required Description | ||
================= ========== ======================================================================================== | ||
``response_type`` yes Needs to be `code` because at this time only the authorization code flow is implemented. | ||
``client_id`` yes The client identifier obtained when registering the client. | ||
``redirect_uri`` yes The redirection URI specified when registering the client. | ||
``state`` no Can be set by the client "to maintain state between the request and callback". | ||
See `RFC 6749`_ for more information. | ||
================= ========== ======================================================================================== | ||
|
||
For further information about client registration, please refer to `the official authorization request RFC from the IETF`_. | ||
|
||
Authorization Response | ||
^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
After the resource owner's authorization, the app redirects to the `redirect_uri` specified in the authorization request and adds the authorization code as URL parameter `code`. | ||
An authorization code is valid for 10 minutes. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What happens after the 10min? Is there a user interaction necessary or are there processes running in the background automatically ? If yes which or what happens? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Isn't this rather something for a developer documentation? I think here we need to document what administrators need to know. Technical overview, benefits, configuration details, minimum client versions, etc.. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually, @pmaier1, on reading the text again, it makes sense to keep the background information and configuration documentation together, rather than have the admin/user search for one or the other. I'd suggest to keep it as it is. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Proposal: |
||
For further information about client registration, please refer to `the official authorization response RFC from the IETF`_. | ||
|
||
Access Token Request | ||
^^^^^^^^^^^^^^^^^^^^ | ||
|
||
With the authorization code, the client can request an access token using the access token URL. | ||
`Client authentication`_ is done using basic authentication with the client identifier as username and the client secret as a password. | ||
The following URL parameters have to be specified: | ||
|
||
================= ============================= =================================================== | ||
Parameter Required Description | ||
================= ============================= =================================================== | ||
``grant_type`` Either ``authorization_code`` or ``refresh_token``. | ||
``code`` if the grant type | ||
`authorization_code` is used. | ||
``redirect_uri`` if the grant type | ||
`authorization_code` is used. | ||
``refresh_token`` if the grant type | ||
`refresh_token` is used. | ||
================= ============================= =================================================== | ||
|
||
For further information about client registration, please refer to `the official access token request RFC from the IETF`_. | ||
|
||
Access Token Response | ||
^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
The app responses to a valid access token request with a JSON response like the following. | ||
An access token is valid for 1 hour and can be refreshed with a refresh token. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Above, the token is valid for 10min. Now the token is valid for 1h... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I guess above is referring to the authorization code, with this being valid for 10 minutes. An authorization code can then be used for requesting an access token, with this being valid for max 1 hour. Or at least this is what I understood.. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd suggest there's some confusion between authorization code and access token going on. Here's a good description of them. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why not adding the link (good description) to ease understanding? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done! |
||
|
||
.. code-block:: json | ||
|
||
{ | ||
"access_token" : "1vtnuo1NkIsbndAjVnhl7y0wJha59JyaAiFIVQDvcBY2uvKmj5EPBEhss0pauzdQ", | ||
"token_type" : "Bearer", | ||
"expires_in" : 3600, | ||
"refresh_token" : "7y0wJuvKmj5E1vjVnhlPBEhha59JyaAiFIVQDvcBY2ss0pauzdQtnuo1NkIsbndA", | ||
"user_id" : "admin", | ||
"message_url" : "https://www.example.org/owncloud/index.php/apps/oauth2/authorization-successful" | ||
} | ||
|
||
For further information about client registration, please refer to `the official access token response RFC from the IETF`_. | ||
|
||
Installation | ||
------------ | ||
|
||
To install the application, place the content of the OAuth2 app inside your installation's ``app`` directory. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Respectively use the Market App There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As with other ownCloud apps we do not have to document the installation process as it's always the same. Either you install it manually as described or you use the market app. IMO we only need to explain installation when there are dependencies on other software like Collabora or full text search or stuff like that. |
||
|
||
Basic Configuration | ||
------------------- | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You basically don't have to configure anything in oC itself. Here we need information on configuring the basic infrastructure around it and how to cover special cases like SSO #3456 owncloud/oauth2#49 |
||
|
||
Restricting Usage | ||
----------------- | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Here we need info about how to "lock-out" the original oC clients and e.g. only allow the usage of branded clients with special client id/secret. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ref. owncloud/oauth2#72 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've added content around this point, taken from owncloud/oauth2#72. |
||
|
||
Limitations | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. One more limitation: owncloud/oauth2#109 (comment) -> clients are unable to migrate an account from Basic Auth. to OAuth2 if they come from the |
||
----------- | ||
|
||
Since the app handles no user passwords, only master key encryption works (similar to `the Shibboleth app`_). | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What to do in case of any other encryption type ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Where does this info come from? I use OAuth on an instance that uses credential-based storage encryption. Works like a charm. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Correction: The statement regarding credential-based storage encryption is correct. Sorry, my bad. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add a link to owncloud/oauth2#105? |
||
|
||
Connecting Clients via OAuth2 | ||
----------------------------- | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
Revoking Sessions | ||
----------------- | ||
|
||
|
||
.. Links | ||
|
||
.. _an OAuth2 application: https://marketplace.owncloud.com/apps/oauth2 | ||
.. _the Shibboleth app: https://marketplace.owncloud.com/apps/user_shibboleth | ||
.. _the official client registration RFC from the IETF: https://tools.ietf.org/html/rfc6749#section-2 | ||
.. _the official authorization request RFC from the IETF: https://tools.ietf.org/html/rfc6749#section-4.1.1 | ||
.. _the official authorization response RFC from the IETF: https://tools.ietf.org/html/rfc6749#section-4.1.2 | ||
.. _the official access token request RFC from the IETF: https://tools.ietf.org/html/rfc6749#section-4.1.3 | ||
.. _the official access token response RFC from the IETF: https://tools.ietf.org/html/rfc6749#section-4.1.4 | ||
.. _RFC 6749: https://tools.ietf.org/html/rfc6749#section-4.1.1 | ||
.. _Client authentication: https://tools.ietf.org/html/rfc6749#section-2.3 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the App work as Authorisation Server in ownCloud (what I believe so reading the text)? If yes than it should be stated to make the role more clear. If not or if not only, than describe the role(s) to get a link to the picture above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I read that text, it is saying that via the OAuth2 application from the Marketplace, OAuth2 client support can be added to ownCloud.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Proposal:
OAuth2 support is available
-->OAuth2 authorisation server support is available
This would make the role of the app clear.
Because an external client independent coming from owncloud itself or from any other source authorizes and connects to the server. When owncloud connects eg to dropbox via the dp-app, the dp-app is in the role of the client where db is in the role of the server.
Reduces confusion: aahhh Oauth2 app - let´s connect to sharepoint which is exactly not the possible because of the role of the app...