#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

#SummitNow My Role at Alfresco At Alfresco since 2005 Started Share Extras project 2010 Joined Integrations Team 2012

#SummitNow Integrations Matter Source:

#SummitNow Back in the Day Integrations were PAINFUL Long, iterative dev cycles Transport protocols were XML-based (WSDL, SOAP, etc.) or language-specific (e.g. RMI) How to authenticate?

#SummitNow The Situation Today REST + JSON = Happy Developers? Scriptable APIs Powerful client capabilities

#SummitNow What About Identity? Sharing usernames and passwords is BAD Details may be compromised Passwords may be changed Passwords not always secure Using tokens allows users to delegate authorization to external applications Tokens may be revoked by the user and may expire... But will not change Long alphanumeric values normally used

#SummitNow Enter OAuth An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. - oauth.netoauth.net

#SummitNow OAuth Two variants OAuth 1.0(a) OAuth 2.0 Really completely different standards OAuth 2.0 has been controversial Application requests access to protected resource User authenticates and approves application Access token is returned to client

#SummitNow OAuth 1.0a Flow

#SummitNow OAuth 2.0 Flow

#SummitNow Comparing The Two OAuth 1.0 Grant Token must be obtained up-front User tokens consist of access token and secret token (for signing) Every request must be signed as prescribed by SP Access Tokens normally long-lived but cannot be renewed OAuth 2.0 No Grant Tokens Users provided with access token only, no secret token No Signing of requests, relies on SSL Access Tokens are short- lived but Refresh Tokens can be used to renew them

#SummitNow The Dream Your Code API Dashlets Admin Console Doclib Actions etc. Twitter Salesforce Flickr etc.

#SummitNow Introducing Share OAuth Goal: To make RESTful, OAuth-protected APIs natively and easily accessible through client-side JavaScript in Alfresco Share Just like we can easily access the Alfresco repository For OAuth 1.0 and 2.0 services

#SummitNow Challenges How should developers declare endpoints, client IDs and secrets? Dealing with the “OAuth Dance” Where to persist access tokens? How do we sign requests? How do we keep this secure?

#SummitNow Share Proxy Client-side Proxy Repo API someco.com otherco.com Proxy gets around cross-domain restrictions, handles authentication, etc.

#SummitNow Connectors and Endpoints Endpoints give the location of remote resources Connectors are used to fetch those resources Each endpoint must identify a single connector to use Connectors may use a named Authenticator, which in turn may use a Credentials Store Connector Authenticati ngConnecto r Endpoint Credentials Store

#SummitNow File spring-webscripts-config.xml

#SummitNow Introducing Share OAuth Goal: To make RESTful, OAuth-protected APIs natively and easily accessible through client-side JavaScript in Alfresco Share Just like we can easily access the Alfresco repository For OAuth 1.0 and 2.0 services

#SummitNow Initial Impl - OAuth 1.0 Connector MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts Service Provider HttpOAuthCo nnector

#SummitNow Repository Tier Custom Model Defines a single aspect with a d:content property Aspect is added to the cm:person object, containing serialized JSON data Data contains OAuth token, secret and other optional values Token Web Scripts Get and set OAuth data on the person object MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts HttpOAuthC onnector

#SummitNow Web Tier Return Web Script Provider redirects the user back here with a verification code Responsible for calling out to provider to exchange verification code for token Stores access token and secret using token web scripts Redirects user to their original page MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts HttpOAuthC onnector

#SummitNow Web Tier HttpOAuthConnector Receives requests bound for the service provider, which have been sent via the Share endpoint proxy Access token and secret must be added by the browser via a custom header Secret is used to sign the request but is NOT sent to provider Response is streamed back to the client MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts HttpOAuthC onnector

#SummitNow Connect Flow Return Web Script reads the verifier token, exchanges for access token, stores access token using Token Web Scripts and redirects user to the original page User authorizes application and Provider redirects to Return Web Script Redirect user to Provider Authorization screen for approval Request grant code from Provider

#SummitNow Dashlet Request Flow If API request successful, display the data If unauthorized, display Connect action If token found, make API request via custom Connector If no token found, display Connect action Fetch token from Token Web Scripts

#SummitNow Initial Impl - OAuth 1.0 Connector MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts Service Provider HttpOAuthCo nnector

#SummitNow New Impl - OAuth 2.0 Connector MyDashlet Return Web Script Credentials Store Web Scripts Service Provider Credentia ls Store HttpOAuth 2Connector

#SummitNow Repository Tier OAuth Credentials Store Web Scripts Use the dedicated credentials service (new in Alfresco 4.1) to store tokens on behalf of the user No custom model needed, values are stored encrypted MyDashlet Return Web Script Credential s Store Web Scripts Credent ials Store HttpOAu th2Conn ector

#SummitNow Web Tier Credentials Store Responsible for loading tokens from the repository (using Credentials Store Web Scripts), storing in the user’s session context and saving new values Return Web Script Uses the Credentials Store to save the access token data (no need to manually call repo web scripts) MyDashlet Return Web Script Credential s Store Web Scripts Credent ials Store HttpOAu th2Conn ector

#SummitNow Implementing Integrations Using Share OAuth, we can plug in new integrations using web-tier code/config only Endpoint/connector configuration Web script and/or extensibility module files Client-side code to make the outbound Ajax request and display data

#SummitNow Web Tier Configuration

#SummitNow Client-side

#SummitNow Dashlet Connect Flow Return Web Script reads the verifier token, exchanges for access token, stores access token using Token Web Scripts and redirects user to the original page User authorizes application and Provider redirects to Return Web Script Redirect user to Provider Authorization screen for approval

#SummitNow Dashlet Request Flow If API request successful, display the data If unauthorized, display Connect action Make API request via custom Connector

#SummitNow Example Implementations GitHub Dashlet Chatter Dashlet JavaScript Console

#SummitNow More Implementations Twitter Dashlets Flickr Dashlets LinkedIn Dashlet Yammer Dashlet

#SummitNow Future OAuth 1.0 Support via Credentials Store Requires Grant Token support via a custom web script Deprecate client-side Extras.OAuthHelper class Simplify Twitter, LinkedIn, Flickr and Yammer dashlets

#SummitNow More Information

#SummitNow