[aerogear-dev] OAuth2 authotization and Pipe integration
Lucas Holmquist
lholmqui at redhat.com
Fri May 16 10:15:56 EDT 2014
On May 16, 2014, at 9:47 AM, Corinne Krych <corinnekrych at gmail.com> wrote:
> Hello Luke,
>
> Our native clients (with Google Drive app) use authz code grant type [1]. With this mode refresh token are issued.
> Our JS GoogleDrive demo is using implicit grant[2] as recommended for browser based app. In this mode no refresh token is issued and grant should be asked as often as the access token expired (1h for Google).
>
> What about hybrid? We could use something like the demo in this blog post[3]. so we can have refresh token too.
for hybrid, a refresh token would be fine,
for the Jboss Keynote demo in 2013, the link below is similar to what i did
>
> wdyt?
> ++
> Corinne
>
> [1] http://tools.ietf.org/html/rfc6749#section-4.1
> [2] http://tools.ietf.org/html/rfc6749#section-4.2
> [3]http://www.itsalif.info/content/oauth-google-api-gapi-phonegap-childbrowser-jquery
>
> On 15 May 2014, at 18:12, Lucas Holmquist <lholmqui at redhat.com> wrote:
>
>> for js we don’t have refresh tokens, for security reasons.
>>
>>
>> I know with googles js api, they do a background refresh( iframe stuff ).
>>
>>
>> go for it
>>
>>
>> On May 15, 2014, at 12:08 PM, Corinne Krych <corinnekrych at gmail.com> wrote:
>>
>>> So seamless refreshing token but declarative token initial request. Right?
>>> #agreed seamless refresh
>>> decalrative auhz request and revoke request.
>>> If we all agree (JS included) I’ll create an iOS JIRA ticket and go for it.
>>>
>>> JS folks, wdyt?
>>>
>>> ++
>>> Corinne
>>> On 15 May 2014, at 17:44, Summers Pittman <supittma at redhat.com> wrote:
>>>
>>>> I don't like it because it moves the concerns of bad accounts, account creation, authorization lifecycle error handling into the failure method of the pipe callback. Those concerns don't belong there.
>>>>
>>>> However I am fine with the module refreshing the accesstoken if a refresh token is provided. If an error happens then that is something more "in line" with reasonable expectations for a authorized request.
>>>>
>>>>
>>>> On Thu 15 May 2014 03:56:28 AM EDT, Corinne Krych wrote:
>>>>> Hello folks
>>>>>
>>>>> I’ve been thinking about providing a more fluid integration between authz and pipes.
>>>>>
>>>>> Right now to read a list of GoogleDrive document, we need to read the pipe in the success callback of authz’ requestAccess:
>>>>>
>>>>> AGAuthorizer* authorizer = [AGAuthorizer authorizer];
>>>>> _restAuthzModule = [authorizer authz:^(id<AGAuthzConfig> config) {
>>>>> ...
>>>>> }];
>>>>>
>>>>> [_restAuthzModule requestAccessSuccess:^(id object) {
>>>>> id<AGPipe> documents = [googleDocuments pipe:^(id<AGPipeConfig> config) {
>>>>> [config setName:@"files"];
>>>>> [config setAuthzModule:authzModule]; // inject authz
>>>>> }];
>>>>>
>>>>> [documents read:^(id responseObject) {
>>>>> // do sth with response
>>>>> } failure:^(NSError *error) {
>>>>> // when an error occurs...
>>>>> }];
>>>>> } failure:^(NSError *error) {
>>>>> NSLog(@"Failure in getting access token");
>>>>> }];
>>>>>
>>>>> What about if we just initialize authzModule and inject it into pipe. Once the pipe read (or any crud) it will be the pipe that first fetch tokens (or renew - whaetever is needed) and on success read the pipe. Basically we do the callback chaining internally in the Pipe instead of letting the developer deal with it.
>>>>>
>>>>> AGAuthorizer* authorizer = [AGAuthorizer authorizer];
>>>>> _restAuthzModule = [authorizer authz:^(id<AGAuthzConfig> config) {
>>>>> ...
>>>>> }];
>>>>>
>>>>> id<AGPipe> documents = [googleDocuments pipe:^(id<AGPipeConfig> config) {
>>>>> [config setName:@"files"];
>>>>> [config setAuthzModule:authzModule]; // inject authz
>>>>> }];
>>>>>
>>>>> [documents read:^(id responseObject) {
>>>>> // do sth with response
>>>>> } failure:^(NSError *error) {
>>>>> // when an error occurs...
>>>>> }];
>>>>>
>>>>> It feels much fluid on the user.
>>>>> Doing so we “force” the app flow to ask token when it needs it, not in advance at startup of app. but i think this is good practice to lazy authz your app.
>>>>>
>>>>> Thoughts?
>>>>>
>>>>> Test repo can be found here:
>>>>> https://github.com/corinnekrych/aerogear-ios/blob/transparent.refresh/AeroGear-iOS/pipeline/AGRESTPipe.m#L169
>>>>> https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-145.refresh/GoogleDrive/GoogleDrive/AGViewController.m
>>>>>
>>>>> ++
>>>>> Corinne
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>>
>>>>
>>>> --
>>>> Summers Pittman
>>>>>> Phone:404 941 4698
>>>>>> Java is my crack.
>>>>
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
More information about the aerogear-dev
mailing list