<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">i've updated the sample app with the new flow<div><br></div><div><a href="https://github.com/lholmquist/oauth2test">https://github.com/lholmquist/oauth2test</a></div><div><br></div><div><br><div><div><div>On Aug 29, 2013, at 9:23 AM, Lucas Holmquist <<a href="mailto:lholmqui@redhat.com">lholmqui@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=utf-8"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">ok, Kris had some thoughts on a better flow, so i refactored the code a bit and i think i like this way a bit better. <div><br></div><div><h2 id="new-flow-client-flow-standalone-for-now-possible-integration-with-pipes" style="font-weight: normal; color: rgb(17, 17, 17); line-height: 1em; font-size: 2em; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: silver; padding-bottom: 5px; font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; ">New Flow - Client Flow - Standalone for now, possible integration with pipes</h2><h3 id="first-time-no-access-token-stored-in-localstorage" style="font-weight: normal; color: rgb(17, 17, 17); line-height: 24px; font-size: 1.5em; font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; ">First Time - No Access Token stored( in localStorage )</h3><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">User will create the Authorization Object stuff with settings/options</p><pre style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: rgb(248, 248, 248); border: 1px solid rgb(204, 204, 204); white-space: pre-wrap; word-wrap: break-word; padding: 5px 12px; line-height: 24px; "><code style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; border: 0px !important; padding: 0px; ">var thing = AeroGear.Authorization();
thing.add({
name: "coolThing",
settings: {
clientId: "<a href="http://12345.apps.googleusercontent.com/">12345.apps.googleusercontent.com</a>",
redirectURL: "<a href="http://localhost:8000/redirector.html">http://localhost:8000/redirector.html</a>",
tokenValidationEndpoint: "<a href="https://www.googleapis.com/oauth2/v1/tokeninfo">https://www.googleapis.com/oauth2/v1/tokeninfo</a>",
authEndpoint: "<a href="https://accounts.google.com/o/oauth2/auth">https://accounts.google.com/o/oauth2/auth</a>",
revokeURL: "<a href="https://accounts.google.com/o/oauth2/revoke">https://accounts.google.com/o/oauth2/revoke</a>",
scopes: "<a href="https://www.googleapis.com/auth/userinfo.profile">https://www.googleapis.com/auth/userinfo.profile</a>",
prompt: "force"
}
});
</code></pre><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; "><em>should have the ability to specify more settings, based on the spec</em></p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">The user would then call some method( currently not good names are coming to me, maybe validate ) that takes success and error callbacks.</p><pre style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: rgb(248, 248, 248); border: 1px solid rgb(204, 204, 204); white-space: pre-wrap; word-wrap: break-word; padding: 5px 12px; line-height: 24px; "><code style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; border: 0px !important; padding: 0px; ">thing.services.coolThing.validate({
success: function( response ){
console.log( "Should be response from Validating the access token", response );
},
error: function( error ) {
//should contain a constructed URL for the user
console.log( "error", error );
}
});
</code></pre><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">Since this is the first time, the error callback will be called and will contain the constructed URL that the user should do the popup redirect dance with to get an access token.</p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; "><em>what "dance" they do is up to the developer</em></p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">Once that happens and they have the access token, they would call the validate method again.</p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">this makes sure that the token they recieved is validated and will also return some other meta data related to the token, like refresh time.</p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">Once the token has been validated, it will be stored in localStorage and would be accessable with the key of <code style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: rgb(248, 248, 248); border: 1px solid rgb(204, 204, 204); padding: 0px 3px; ">ag-oauth2-whatever_the_client_ID_is</code> .</p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">so in this example it would be something like:</p><pre style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: rgb(248, 248, 248); border: 1px solid rgb(204, 204, 204); white-space: pre-wrap; word-wrap: break-word; padding: 5px 12px; line-height: 24px; "><code style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; border: 0px !important; padding: 0px; "><a href="http://ag-oauth2-12345.apps.googleusercontent.com/">ag-oauth2-12345.apps.googleusercontent.com</a>
</code></pre><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">There is one problem i can see here though. If the user has to applications with the same client ID but different scopes assigned, this would be a problem. That use case could be considered bad practice anyway</p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">The user can then call the "callService"( yes, again, crappy name ) method to get access to the service they want.</p><pre style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: rgb(248, 248, 248); border: 1px solid rgb(204, 204, 204); white-space: pre-wrap; word-wrap: break-word; padding: 5px 12px; line-height: 24px; "><code style="font-size: 0.88em; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; border: 0px !important; padding: 0px; ">thing.services.coolThing.callService({
serviceURL: "<a href="https://www.googleapis.com/oauth2/v2/userinfo">https://www.googleapis.com/oauth2/v2/userinfo</a>",
success: function( response ){
console.log( "Should be the response from the call", response );
},
error: function( error ) {
console.log( "error", error );
}
});
</code></pre><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">All these methods would have success/error callbacks.</p><h3 id="token-expiration" style="font-weight: normal; color: rgb(17, 17, 17); line-height: 24px; font-size: 1.5em; font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; ">Token Expiration</h3><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">If the user makes a call to a service, using the callService method, and they recieve an error such as not authorized or token invalid or token expired, I'm thinking we send what the "contructed URL" should be, similar to the validate method described above.</p><p style="margin: 1em 0px; color: rgb(68, 68, 68); font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', 'Hiragino Sans GB', STXihei, 微软雅黑, serif; font-size: 16px; line-height: 24px; ">Since this is a Client Side flow, there is no refresh token, so the client wouldn't be able to refresh the access token without doing the "dance" again.</p></div><div><div><br></div><div><br></div><div><br><div><div><div>On Aug 27, 2013, at 1:57 PM, Lucas Holmquist <<a href="mailto:lholmqui@redhat.com">lholmqui@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">i've hacked together a sample app that shows sort of the flow.<div><br></div><div><a href="https://github.com/lholmquist/oauth2test">https://github.com/lholmquist/oauth2test</a></div><div><br></div><div>it is still very rough</div><div><br><div><div>On Aug 27, 2013, at 12:42 PM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">+1 keep it simple, please<br><br>Lucas Holmquist wrote:<br><blockquote type="cite"><br>On Aug 27, 2013, at 3:39 AM, Sebastien Blanc <<a href="mailto:scm.blanc@gmail.com">scm.blanc@gmail.com</a><br><<a href="mailto:scm.blanc@gmail.com">mailto:scm.blanc@gmail.com</a>>> wrote:<br><br><blockquote type="cite">Hi,<br>That sounds good !<br>Just one question, instead of using the callApi function couldn't we<br>pass the oauth module (called 'thing' in your example) to the pipe<br>directly, using the 'authenticator' setting. Behind the scene, the<br>pipe manager will append the oauth token to the query or add the<br>bearer header ?<br></blockquote><br>I'm not sure if that is what this is going to do. This is more of an<br>Authorization thing and i don't think it totally fits the pipeline<br>stuff. ( or it would make it a bit more complicated, and we want to keep<br>it simple )<br><br><br> i should probably change the method to be "authorize" instead<br><br><blockquote type="cite">Seb<br><br><br><br>On Mon, Aug 26, 2013 at 8:05 PM, Lucas Holmquist <<a href="mailto:lholmqui@redhat.com">lholmqui@redhat.com</a><br><<a href="mailto:lholmqui@redhat.com">mailto:lholmqui@redhat.com</a>>> wrote:<br><br><br> OAuth2 AeroGear Workflow - High Level<br><br><br> Using Google api's<br><br> /Server Side/<br><br> 1. user needs to first create an "application/project" to get an<br> api key<br> 2. Then they would choose the services/api's then would like<br> there application to access<br> 3. other google server related items....<br><br> /Client Side/<br><br> 1. Create a new OAuth2 module thing<br> 2. Get access token for the services would need to specify the<br> services they would like to access<br> 3. validate the token<br> 4. make calls to the service<br><br><br> API<br><br> |var thing = AerGear.OAuth2({<br> name: googleEndPoints, //Just a Name<br> clientID: "12345" //The client ID of the app from the API console<br> settings: {<br> permissions: "..",<br> ...<br> }<br> }).somecoolmodulename.googleEndPoints;<br> |<br><br> /Settings: Multiple settings based on paramters here<br> <<a href="https://developers.google.com/accounts/docs/OAuth2UserAgent">https://developers.google.com/accounts/docs/OAuth2UserAgent</a>>/<br><br> /Methods/<br><br><br> authenticate<br><br> this will authenticate with the server to get the access token and<br> then validate the token, once that is all good then the response<br> is returned.<br><br> |thing.authenticate({<br> success:{},<br> error:{},<br> settings: {<br> //probably some settings here, like URL overides and such<br> }<br> });<br> |<br><br><br> callApi<br><br> not really a good name, but it would basically call the remote<br> api/services. we could either do a query string option or a Head<br> option<br><br> example:<br><br> |curl '<a href="https://www.googleapis.com/oauth2/v1/userinfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg'">https://www.googleapis.com/oauth2/v1/userinfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg'</a><br> |<br><br> or<br><br> |curl -H "Authorization: Bearer {accessToken}" <a href="https://www.googleapis.com/oauth2/v1/userinfo">https://www.googleapis.com/oauth2/v1/userinfo</a><br> |<br><br> code:<br><br> |thing.callApi({<br> service: "userinfo", //don't really like this name either<br> success:{},<br> error:{},<br> settings: {<br> ... //overridable baseURLs?<br> }<br> });<br> |<br><br><br> revoke<br><br> again, maybe not the best name. calls the "revoke" service, to<br> remove access to permissions<br><br> |thing.revoke({<br> success: {},<br> error: {},<br> settings: {}<br> });<br> |<br><br> Behind the scenes on all these calls, the "access_token" is<br> beining used and possibly refreshed for the user, so they don't<br> have to worry about it. They just need to call authenticate first.<br> Maybe we can have a refresh method if the user wants to refresh<br> the tokens themselves. this would do the token "dance"<br><br><br><br> On Aug 26, 2013, at 1:35 PM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a><br> <<a href="mailto:bruno@abstractj.org">mailto:bruno@abstractj.org</a>>> wrote:<br><br><blockquote type="cite"> +1 I think is a good start to us.<br><br> Kris Borchers wrote:<br><blockquote type="cite"> I would like to see that but what you are saying makes sense. It<br> sounds like where I was headed with the Basic and Digest<br> adapters before I ran into browser security issues with headers.<br> I think and authorization API that basically just wraps itself<br> around secured endpoints works for me.<br></blockquote><br> -- <br> abstractj<br><br><br> _______________________________________________<br> aerogear-dev mailing list<br> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> <<a href="mailto:aerogear-dev@lists.jboss.org">mailto:aerogear-dev@lists.jboss.org</a>><br> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote><br><br> _______________________________________________<br> aerogear-dev mailing list<br> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> <<a href="mailto:aerogear-dev@lists.jboss.org">mailto:aerogear-dev@lists.jboss.org</a>><br> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br><br><br>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> <<a href="mailto:aerogear-dev@lists.jboss.org">mailto:aerogear-dev@lists.jboss.org</a>><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote><br>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote><br>-- <br>abstractj<br><br><br>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote></div><br></div></div>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote></div><br></div></div></div></div>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>https://lists.jboss.org/mailman/listinfo/aerogear-dev</blockquote></div><br></div></div></body></html>