http://wiki.overbyte.eu/wiki/index.php?title=FAQ_Using_TRestOAuth&feed=atom&action=historyFAQ Using TRestOAuth - Revision history2024-03-29T13:05:33ZRevision history for this page on the wikiMediaWiki 1.34.0http://wiki.overbyte.eu/wiki/index.php?title=FAQ_Using_TRestOAuth&diff=3550&oldid=prevMagsys at 12:33, 11 November 20192019-11-11T12:33:05Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 12:33, 11 November 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l27" >Line 27:</td>
<td colspan="2" class="diff-lineno">Line 27:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Bearer' header.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Bearer' header.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Access Tokens have a limited life and usually expire within <del class="diffchange diffchange-inline">three </del>to 24 hours.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Access Tokens have a limited life and usually expire within <ins class="diffchange diffchange-inline">one </ins>to 24 hours.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>To avoid user interaction, the token exchange process <del class="diffchange diffchange-inline">sometimes </del>offers a Refresh</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>To avoid user interaction, the token exchange process <ins class="diffchange diffchange-inline">usually </ins>offers a Refresh</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Token <del class="diffchange diffchange-inline">with the same expiry, but </del>which can be used to get another Access Token,</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Token which can be used to get another Access Token, and this is automatically</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>and this is automatically handled by TRestOAuth, <del class="diffchange diffchange-inline">while </del>it <del class="diffchange diffchange-inline">still runs</del>.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>handled by TRestOAuth, <ins class="diffchange diffchange-inline">by refreshing the Access Token before </ins>it <ins class="diffchange diffchange-inline">expires, allowing</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">your application to keep running. Store the Refresh Token securely, since it's</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">a potential security risk</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">So </del>the <del class="diffchange diffchange-inline">trick for native applications is to keep refreshing </del>the Access Token <del class="diffchange diffchange-inline">before</del></div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">Sometimes </ins>the <ins class="diffchange diffchange-inline">Refresh Token has the same life as </ins>the Access Token<ins class="diffchange diffchange-inline">, with Google</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">it expires</del>, <del class="diffchange diffchange-inline">allowing your application </del>to <del class="diffchange diffchange-inline">keep running</del>. <del class="diffchange diffchange-inline">Store </del>the Refresh Token</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">Accounts the Refresh Token remains valid for a few months until the account is</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">securely</del>, <del class="diffchange diffchange-inline">since it's a potential security risk</del>.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">disabled or changed</ins>, <ins class="diffchange diffchange-inline">avoiding needing </ins>to <ins class="diffchange diffchange-inline">login again or refresh within the expiry</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">period</ins>. <ins class="diffchange diffchange-inline">Beware with Google </ins>the Refresh Token <ins class="diffchange diffchange-inline">is only returned once after initial</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">login</ins>, <ins class="diffchange diffchange-inline">not after each refresh. Google may also need to approve applications</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">offering OAuth2, and may show consent warnings during the login process to get</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">an Authorization Code until this is done.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">https://developers.google</ins>.<ins class="diffchange diffchange-inline">com/identity/protocols/OAuth2</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Setting up OAuth is complex and requires a lot more information than just a site</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Setting up OAuth is complex and requires a lot more information than just a site</div></td></tr>
</table>Magsyshttp://wiki.overbyte.eu/wiki/index.php?title=FAQ_Using_TRestOAuth&diff=3452&oldid=prevMagsys: Created page with "The TRestOAuth component is for handling 0Auth authorization to web apps, by several means. Beware OAuth is really a concept with differing implementations, so that implement..."2018-11-15T17:14:14Z<p>Created page with "The TRestOAuth component is for handling 0Auth authorization to web apps, by several means. Beware OAuth is really a concept with differing implementations, so that implement..."</p>
<p><b>New page</b></p><div>The TRestOAuth component is for handling 0Auth authorization to web apps, by several means. Beware<br />
OAuth is really a concept with differing implementations, so that implementation<br />
may not always be straight forward. OAuth1 and 1A were originally developed for<br />
Twitter and use cryptography, OAuth2 is a simpler and easier to implement version<br />
now widely used by most cloud services without any cryptography (other than SSL).<br />
<br />
The conceptual issue about OAuth is that applications should not know any login<br />
details. The login need to be entered through a browser, which then redirects to<br />
a fixed URL which includes an Authorization Code that is subsequently exchanged<br />
for an Access Token that can used by the REST client. This is really all designed<br />
for interactive applications, on mobile platforms in particular.<br />
<br />
Originally it was considered allowable for native applications to display an<br />
embedded browser window in the application to capture the Authorization Code<br />
during redirect. But that potentially means the application can also capture the<br />
login as well so is no longer best practice, see RFC8252, and some apps will<br />
block the embedded window.<br />
<br />
The preferred authorization method is for the native application to launch the<br />
standard browser and redirect to localhost where a small web server runs to<br />
capture the Authorization Code. That is how TRestOAuth works, transparently<br />
to the user, capturing the Authorization Code and using it for a token grant to<br />
get an Access Token. Note that Authorization Codes expire in a few minutes and<br />
immediately they are exchanged for a token.<br />
<br />
The Access Token is then sent with all HTTPS REST requests as an 'Authorization:<br />
Bearer' header.<br />
<br />
Access Tokens have a limited life and usually expire within three to 24 hours.<br />
To avoid user interaction, the token exchange process sometimes offers a Refresh<br />
Token with the same expiry, but which can be used to get another Access Token,<br />
and this is automatically handled by TRestOAuth, while it still runs.<br />
<br />
So the trick for native applications is to keep refreshing the Access Token before<br />
it expires, allowing your application to keep running. Store the Refresh Token<br />
securely, since it's a potential security risk.<br />
<br />
Setting up OAuth is complex and requires a lot more information than just a site<br />
user name and password. You normally need to access the desired site and create<br />
an app or client (terminology varies) but will always involve creating a client<br />
ID and client secret, and a redirect URL which will be the local web server. The<br />
default redirect used by TRestOAuth is http:/localhost:8080/. There are also<br />
two API URLs, one for the authorization endpoint (displayed in the browser) and<br />
then the token exchange endpoint for REST requests. Some sites may provide OAuth2<br />
details with the URL (host)/.well-known/openid-configuration as Json, ie:<br />
https://accounts.google.com/.well-known/openid-configuration . Finally, OAuth<br />
may require the token Scope to be specified, it's purpose or access rights<br />
depending on the server.<br />
<br />
Note that in addition to granting tokens using an Authorization Code from a<br />
browser login, some OAuth implementations may support grants for client<br />
credentials alone (ID and secret, without a login) or directly for login and<br />
password (and client ID and secret) which is by far the easiest to use, but not<br />
often available, both are supported by TRestOAuth.</div>Magsys