[aerogear-dev] OAuth2 Adapter
Sebastien Blanc
scm.blanc at gmail.com
Tue Aug 27 03:39:29 EDT 2013
Hi,
That sounds good !
Just one question, instead of using the callApi function couldn't we pass
the oauth module (called 'thing' in your example) to the pipe directly,
using the 'authenticator' setting. Behind the scene, the pipe manager will
append the oauth token to the query or add the bearer header ?
Seb
On Mon, Aug 26, 2013 at 8:05 PM, Lucas Holmquist <lholmqui at redhat.com>wrote:
> OAuth2 AeroGear Workflow - High LevelUsing Google api's
>
> *Server Side*
>
> 1. user needs to first create an "application/project" to get an api
> key
> 2. Then they would choose the services/api's then would like there
> application to access
> 3. other google server related items....
>
> *Client Side*
>
> 1. Create a new OAuth2 module thing
> 2. Get access token for the services would need to specify the
> services they would like to access
> 3. validate the token
> 4. make calls to the service
>
> API
>
> var thing = AerGear.OAuth2({
> name: googleEndPoints, //Just a Name
> clientID: "12345" //The client ID of the app from the API console
> settings: {
> permissions: "..",
> ...
> }
> }).somecoolmodulename.googleEndPoints;
>
> *Settings: Multiple settings based on paramters here<https://developers.google.com/accounts/docs/OAuth2UserAgent>
> *
>
> *Methods*
> authenticate
>
> this will authenticate with the server to get the access token and then
> validate the token, once that is all good then the response is returned.
>
> thing.authenticate({
> success:{},
> error:{},
> settings: {
> //probably some settings here, like URL overides and such
> }
> });
>
> callApi
>
> not really a good name, but it would basically call the remote
> api/services. we could either do a query string option or a Head option
>
> example:
>
> curl 'https://www.googleapis.com/oauth2/v1/userinfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg'
>
> or
>
> curl -H "Authorization: Bearer {accessToken}" https://www.googleapis.com/oauth2/v1/userinfo
>
> code:
>
> thing.callApi({
> service: "userinfo", //don't really like this name either
> success:{},
> error:{},
> settings: {
> ... //overridable baseURLs?
> }
> });
>
> revoke
>
> again, maybe not the best name. calls the "revoke" service, to remove
> access to permissions
>
> thing.revoke({
> success: {},
> error: {},
> settings: {}
> });
>
> Behind the scenes on all these calls, the "access_token" is beining used
> and possibly refreshed for the user, so they don't have to worry about it.
> They just need to call authenticate first. Maybe we can have a refresh
> method if the user wants to refresh the tokens themselves. this would do
> the token "dance"
>
>
> On Aug 26, 2013, at 1:35 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
>
> +1 I think is a good start to us.
>
> Kris Borchers wrote:
>
> I would like to see that but what you are saying makes sense. It sounds
> like where I was headed with the Basic and Digest adapters before I ran
> into browser security issues with headers. I think and authorization API
> that basically just wraps itself around secured endpoints works for me.
>
>
> --
> abstractj
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130827/3ae69e30/attachment.html
More information about the aerogear-dev
mailing list