Presentation is loading. Please wait.

Presentation is loading. Please wait.

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

Published byGillian George Modified over 8 years ago

Similar presentations

Presentation on theme: "#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson"— Presentation transcript:

1 #SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson / @wabson

2 #SummitNow My Role at Alfresco At Alfresco since 2005 Started Share Extras project 2010 Joined Integrations Team 2012

3 #SummitNow Integrations Matter Source: http://www.flickr.com/photos/ross/3055802287/http://www.flickr.com/photos/ross/3055802287/

4 #SummitNow Back in the Day Integrations were PAINFUL Long, iterative dev cycles Transport protocols were XML-based (WSDL, SOAP, etc.) or language-specific (e.g. RMI) How to authenticate?

5 #SummitNow The Situation Today REST + JSON = Happy Developers? Scriptable APIs Powerful client capabilities

6 #SummitNow What About Identity? Sharing usernames and passwords is BAD Details may be compromised Passwords may be changed Passwords not always secure Using tokens allows users to delegate authorization to external applications Tokens may be revoked by the user and may expire... But will not change Long alphanumeric values normally used

7 #SummitNow Enter OAuth An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. - oauth.netoauth.net

8 #SummitNow OAuth Two variants OAuth 1.0(a) OAuth 2.0 Really completely different standards OAuth 2.0 has been controversial Application requests access to protected resource User authenticates and approves application Access token is returned to client

9 #SummitNow OAuth 1.0a Flow

10 #SummitNow OAuth 2.0 Flow

11 #SummitNow Comparing The Two OAuth 1.0 Grant Token must be obtained up-front User tokens consist of access token and secret token (for signing) Every request must be signed as prescribed by SP Access Tokens normally long-lived but cannot be renewed OAuth 2.0 No Grant Tokens Users provided with access token only, no secret token No Signing of requests, relies on SSL Access Tokens are short- lived but Refresh Tokens can be used to renew them

12 #SummitNow The Dream Your Code API Dashlets Admin Console Doclib Actions etc. Twitter Salesforce Flickr etc.

13 #SummitNow Introducing Share OAuth Goal: To make RESTful, OAuth-protected APIs natively and easily accessible through client-side JavaScript in Alfresco Share Just like we can easily access the Alfresco repository For OAuth 1.0 and 2.0 services

14 #SummitNow Challenges How should developers declare endpoints, client IDs and secrets? Dealing with the “OAuth Dance” Where to persist access tokens? How do we sign requests? How do we keep this secure?

15 #SummitNow Share Proxy Client-side Proxy Repo API someco.com otherco.com Proxy gets around cross-domain restrictions, handles authentication, etc.

16 #SummitNow Connectors and Endpoints Endpoints give the location of remote resources Connectors are used to fetch those resources Each endpoint must identify a single connector to use Connectors may use a named Authenticator, which in turn may use a Credentials Store Connector Authenticati ngConnecto r Endpoint Credentials Store

17 #SummitNow File spring-webscripts-config.xml

18 #SummitNow Introducing Share OAuth Goal: To make RESTful, OAuth-protected APIs natively and easily accessible through client-side JavaScript in Alfresco Share Just like we can easily access the Alfresco repository For OAuth 1.0 and 2.0 services

19 #SummitNow Initial Impl - OAuth 1.0 Connector MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts Service Provider HttpOAuthCo nnector

20 #SummitNow Repository Tier Custom Model Defines a single aspect with a d:content property Aspect is added to the cm:person object, containing serialized JSON data Data contains OAuth token, secret and other optional values Token Web Scripts Get and set OAuth data on the person object MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts HttpOAuthC onnector

21 #SummitNow Web Tier Return Web Script Provider redirects the user back here with a verification code Responsible for calling out to provider to exchange verification code for token Stores access token and secret using token web scripts Redirects user to their original page MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts HttpOAuthC onnector

22 #SummitNow Web Tier HttpOAuthConnector Receives requests bound for the service provider, which have been sent via the Share endpoint proxy Access token and secret must be added by the browser via a custom header Secret is used to sign the request but is NOT sent to provider Response is streamed back to the client MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts HttpOAuthC onnector

23 #SummitNow Connect Flow Return Web Script reads the verifier token, exchanges for access token, stores access token using Token Web Scripts and redirects user to the original page User authorizes application and Provider redirects to Return Web Script Redirect user to Provider Authorization screen for approval Request grant code from Provider

24 #SummitNow Dashlet Request Flow If API request successful, display the data If unauthorized, display Connect action If token found, make API request via custom Connector If no token found, display Connect action Fetch token from Token Web Scripts

25 #SummitNow Initial Impl - OAuth 1.0 Connector MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts Service Provider HttpOAuthCo nnector

26 #SummitNow New Impl - OAuth 2.0 Connector MyDashlet Return Web Script Credentials Store Web Scripts Service Provider Credentia ls Store HttpOAuth 2Connector

27 #SummitNow Repository Tier OAuth Credentials Store Web Scripts Use the dedicated credentials service (new in Alfresco 4.1) to store tokens on behalf of the user No custom model needed, values are stored encrypted MyDashlet Return Web Script Credential s Store Web Scripts Credent ials Store HttpOAu th2Conn ector

28 #SummitNow Web Tier Credentials Store Responsible for loading tokens from the repository (using Credentials Store Web Scripts), storing in the user’s session context and saving new values Return Web Script Uses the Credentials Store to save the access token data (no need to manually call repo web scripts) MyDashlet Return Web Script Credential s Store Web Scripts Credent ials Store HttpOAu th2Conn ector

29 #SummitNow Implementing Integrations Using Share OAuth, we can plug in new integrations using web-tier code/config only Endpoint/connector configuration Web script and/or extensibility module files Client-side code to make the outbound Ajax request and display data

30 #SummitNow Web Tier Configuration

31 #SummitNow Client-side

32 #SummitNow Dashlet Connect Flow Return Web Script reads the verifier token, exchanges for access token, stores access token using Token Web Scripts and redirects user to the original page User authorizes application and Provider redirects to Return Web Script Redirect user to Provider Authorization screen for approval

33 #SummitNow Dashlet Request Flow If API request successful, display the data If unauthorized, display Connect action Make API request via custom Connector

34 #SummitNow Example Implementations GitHub Dashlet Chatter Dashlet JavaScript Console

35 #SummitNow More Implementations Twitter Dashlets Flickr Dashlets LinkedIn Dashlet Yammer Dashlet

36 #SummitNow Future OAuth 1.0 Support via Credentials Store Requires Grant Token support via a custom web script Deprecate client-side Extras.OAuthHelper class Simplify Twitter, LinkedIn, Flickr and Yammer dashlets

37 #SummitNow More Information http://sharextras.github.io/

38 #SummitNow

Download ppt "#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson"

Similar presentations

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
NAMS Account Activation Training. 2 What is NAMS? The NASA Account Management System is NASA’s centralized process for requesting and maintaining accounts.

NAMS Account Activation Training. 2 What is NAMS? The NASA Account Management System is NASA’s centralized process for requesting and maintaining accounts.
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
Access Gateway Operation

Access Gateway Operation

Similar presentations

Ads by Google