Consuming OAuth Services in Alfresco Share
Download
Report
Transcript Consuming OAuth Services in Alfresco Share
Consuming OAuth Services in
Alfresco Share
Alfresco Summit 2013
Will Abson / @wabson
#SummitNow
My Role at Alfresco
• At Alfresco since 2005
• Started Share Extras project 2010
• Joined Integrations Team 2012
#SummitNow
Integrations Matter
#SummitNow
Source: http://www.flickr.com/photos/ross/3055802287/
Back in the Day
Integrations were PAINFUL
• Long, iterative dev cycles
• Transport protocols were XML-based
(WSDL, SOAP, etc.) or language-specific
(e.g. RMI)
• How to authenticate?
#SummitNow
The Situation Today
• REST + JSON = Happy Developers?
• Scriptable APIs
• Powerful client capabilities
#SummitNow
What About Identity?
• Sharing usernames and passwords is BAD
•
•
•
Details may be compromised
Passwords may be changed
Passwords not always secure
• Using tokens allows users to delegate
authorization to external applications
•
•
•
Tokens may be revoked by the user and may
expire...
But will not change
Long alphanumeric values normally used
#SummitNow
Enter OAuth
An open
protocol to
allow secure
authorization in
a simple and
standard
method from
web, mobile and
desktop
applications.
#SummitNow
OAuth
• Two variants
• OAuth 1.0(a)
• OAuth 2.0
• Really completely
different standards
• OAuth 2.0 has been
controversial
Application requests
access to protected
resource
User authenticates
and approves
application
Access token is
returned to client
#SummitNow
OAuth 1.0a Flow
#SummitNow
OAuth 2.0 Flow
#SummitNow
Comparing The Two
OAuth 1.0
OAuth 2.0
Grant Token must be
obtained up-front
No Grant Tokens
User tokens consist of
access token and secret
token (for signing)
Users provided with access
token only, no secret token
Every request must be
signed as prescribed by SP
No Signing of requests,
relies on SSL
Access Tokens normally
long-lived but cannot be
renewed
Access Tokens are shortlived but Refresh Tokens
can be used to renew
them
#SummitNow
The Dream
Your
Code
API
Dashlets
Admin Console
Doclib Actions
etc.
Twitter
Salesforce
Flickr
etc.
#SummitNow
Introducing Share OAuth
Goal: To make RESTful, OAuth-protected
APIs natively and easily accessible through
client-side JavaScript in Alfresco Share
• Just like we can easily access the
Alfresco repository
• For OAuth 1.0 and 2.0 services
#SummitNow
Challenges
• How should developers declare
endpoints, client IDs and secrets?
• Dealing with the “OAuth Dance”
• Where to persist access tokens?
• How do we sign requests?
• How do we keep this secure?
#SummitNow
Share Proxy
someco.com
otherco.com
Client-side
Proxy
API
Repo
Proxy gets around cross-domain restrictions, handles authentication,
etc.
#SummitNow
Connectors and Endpoints
• Endpoints give the location of remote resources
• Connectors are used to fetch those resources
• Each endpoint must identify a single connector to
use
• Connectors may use a named Authenticator,
which in turn may use a Credentials Store
Authenticati
ngConnecto
r
Endpoint
Connector
Credentials
Store
#SummitNow
File spring-webscripts-config.xml
#SummitNow
Introducing Share OAuth
Goal: To make RESTful, OAuth-protected
APIs natively and easily accessible through
client-side JavaScript in Alfresco Share
• Just like we can easily access the
Alfresco repository
• For OAuth 1.0 and 2.0 services
#SummitNow
Initial Impl - OAuth 1.0
Connector
Extras.OAuthHelper
Return Web
Script
HttpOAuthCo
nnector
Custom
Model
Token Web
Scripts
Service Provider
MyDashlet
#SummitNow
Repository Tier
Custom Model
• Defines a single aspect
with a d:content property
• Aspect is added to the
cm:person object,
containing serialized
JSON data
• Data contains OAuth
token, secret and
other optional values
Token Web Scripts
• Get and set OAuth data
on the person object
MyDashlet
Extras.OAuthHelper
Return
Web Script
HttpOAuthC
onnector
Custom
Model
Token Web
Scripts
#SummitNow
Web Tier
Return Web Script
• Provider redirects the
user back here with a
verification code
• Responsible for calling
out to provider to
exchange verification
code for token
• Stores access token
and secret using token
web scripts
• Redirects user to their
original page
MyDashlet
Extras.OAuthHelper
Return
Web Script
HttpOAuthC
onnector
Custom
Model
Token Web
Scripts
#SummitNow
Web Tier
HttpOAuthConnector
• Receives requests bound
for the service provider,
which have been sent via
the Share endpoint proxy
• Access token and secret
must be added by the
browser via a custom
header
• Secret is used to sign
the request but is
NOT sent to provider
• Response is streamed back
to the client
MyDashlet
Extras.OAuthHelper
Return
Web Script
HttpOAuthC
onnector
Custom
Model
Token Web
Scripts
#SummitNow
Dashlet Request Flow
Fetch token from Token Web Scripts
If token found, make API request via custom Connector
If no token found, display Connect action
If API request successful, display the data
If unauthorized, display Connect action
#SummitNow
Initial Impl - OAuth 1.0
Connector
Extras.OAuthHelper
Return Web
Script
HttpOAuthCo
nnector
Custom
Model
Token Web
Scripts
Service Provider
MyDashlet
#SummitNow
MyDashlet
Return
Web Script
Credentia
ls Store
Credentials
Store Web
Scripts
HttpOAuth
2Connector
Service Provider
New Impl - OAuth 2.0
Connector
#SummitNow
Repository Tier
OAuth Credentials
Store Web Scripts
• Use the dedicated
credentials service
(new in Alfresco 4.1)
to store tokens on
behalf of the user
• No custom model
needed, values
are stored
encrypted
MyDashlet
Return
Web
Script
Credent
ials
Store
HttpOAu
th2Conn
ector
Credential
s Store
Web
Scripts
#SummitNow
Web Tier
Credentials Store
• Responsible for loading
tokens from the repository
(using Credentials Store
Web Scripts), storing in the
user’s session context and
saving new values
Return Web Script
• Uses the Credentials Store
to save the access token
data (no need to manually
call repo web scripts)
MyDashlet
Return
Web
Script
Credent
ials
Store
HttpOAu
th2Conn
ector
Credential
s Store
Web
Scripts
#SummitNow
Implementing Integrations
Using Share OAuth, we can plug in new
integrations using web-tier code/config only
• Endpoint/connector configuration
• Web script and/or extensibility module
files
• Client-side code to make the outbound
Ajax request and display data
#SummitNow
Web Tier Configuration
#SummitNow
Client-side
#SummitNow
Dashlet Request Flow
Make API request via custom Connector
If API request successful, display the data
If unauthorized, display Connect action
#SummitNow
Example Implementations
• GitHub Dashlet
• Chatter Dashlet
• JavaScript Console
#SummitNow
More Implementations
•
•
•
•
Twitter Dashlets
Flickr Dashlets
LinkedIn Dashlet
Yammer Dashlet
#SummitNow
Future
• OAuth 1.0 Support via Credentials Store
• Requires Grant Token support via a custom
web script
• Deprecate client-side Extras.OAuthHelper
class
• Simplify Twitter, LinkedIn, Flickr and
Yammer dashlets
#SummitNow
More Information
http://sharextras.github.io/
#SummitNow
#SummitNow