Presentation is loading. Please wait.

Presentation is loading. Please wait.

Consuming OAuth Services in Alfresco Share

Published byVanessa Leonard Modified over 6 years ago

Similar presentations

Presentation on theme: "Consuming OAuth Services in Alfresco Share"— Presentation transcript:

1 Consuming OAuth Services in Alfresco Share
Alfresco Summit 2013 Will Abson

2 My Role at Alfresco At Alfresco since 2005
Started Share Extras project 2010 Joined Integrations Team 2012

3 Integrations Matter Increasing complexity of IT landscape Rapid adoption of Cloud services Source:

4 Back in the Day Integrations were PAINFUL Long, iterative dev cycles
Transport protocols were XML-based (WSDL, SOAP, etc.) or language-specific (e.g. RMI) How to authenticate?

5 The Situation Today REST + JSON = Happy Developers? Scriptable APIs
Powerful client capabilities

6 What About Identity? Sharing usernames and passwords is BAD
Details may be compromised Passwords may be changed Passwords not always secure Using tokens allows users to delegate authorization to external applications Tokens may be revoked by the user and may expire... But will not change Long alphanumeric values normally used

7 Enter OAuth An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. - oauth.net

8 OAuth Two variants OAuth 1.0(a) OAuth 2.0
Really completely different standards OAuth 2.0 has been controversial

9 OAuth 1.0a Flow

10 OAuth 2.0 Flow

11 Comparing The Two OAuth 1.0 Grant Token must be obtained up-front User tokens consist of access token and secret token (for signing) Every request must be signed as prescribed by SP Access Tokens normally long-lived but cannot be renewed OAuth 2.0 No Grant Tokens Users provided with access token only, no secret token No Signing of requests, relies on SSL Access Tokens are short- lived but Refresh Tokens can be used to renew them

12 Your Code API The Dream Dashlets Admin Console Doclib Actions etc.
Twitter Salesforce Flickr etc.

13 Introducing Share OAuth
Goal: To make RESTful, OAuth-protected APIs natively and easily accessible through client-side JavaScript in Alfresco Share Just like we can easily access the Alfresco repository For OAuth 1.0 and 2.0 services

14 Challenges How should developers declare endpoints, client IDs and secrets? Dealing with the “OAuth Dance” Where to persist access tokens? How do we sign requests? How do we keep this secure?

15 Surf Concepts Endpoints give the location of remote resources
Connectors are used to fetch those resources Each endpoint must identify a single connector to use Connectors may use a named Authenticator, which in turn may use a Credentials Store

16 Surf Concepts Illustrated
AuthenticatingConnector Credentials Store Endpoint Connector

17 File spring-webscripts-config.xml

18 Introducing Share OAuth
Goal: To make RESTful, OAuth-protected APIs natively and easily accessible through client-side JavaScript in Alfresco Share Just like we can easily access the Alfresco repository For OAuth 1.0 and 2.0 services

19 Initial Impl - OAuth 1.0 Connector
MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts Service Provider HttpOAuthConnector

20 Initial Impl - OAuth 1.0 Connector
MyDashlet Extras.OAuthHelper Return Web Script Custom Model Token Web Scripts Service Provider HttpOAuthConnector

21 Repository Tier Custom Model
Defines a single aspect with a d:content property Aspect is added to the cm:person object, containing serialized JSON data Data contains OAuth token, secret and other optional values Token Web Scripts Get and set OAuth data on the person object

22 Web Tier Return Web Script
Provider redirects the user back here with a verification code Responsible for calling out to provider to exchange verification code for token Stores access token and secret using token web scripts Redirects user to their original page

23 Web Tier HttpOAuthConnector
Receives requests bound for the service provider, which have been sent via the Share endpoint proxy Access token and secret must be added by the browser via a custom header Secret is used to sign the request but is NOT sent to provider Response is streamed back to the client

24 Dashlet Request Flow Fetch token from Token Web Scripts
If API request successful, display the data If unauthorized, display Connect action If token found, make API request via custom Connector If no token found, display Connect action Fetch token from Token Web Scripts

25 New Impl - OAuth 2.0 Connector
MyDashlet Return Web Script Credentials Store Web Scripts Service Provider Credentials Store HttpOAuth2Connector

26 Repository Tier OAuth Credentials Store Web Scripts
Use the dedicated credentials service (new in Alfresco 4.1) to store tokens on behalf of the user No custom model needed, values are stored encrypted

27 Web Tier Credentials Store
Responsible for loading tokens from the repository (using Credentials Store Web Scripts), storing in the user’s session context and saving new values Return Web Script Uses the Credentials Store to save the access token data (no need to manually call repo web scripts)

28 Dashlet Request Flow Make API request via custom Connector
If API request successful, display the data If unauthorized, display Connect action Make API request via custom Connector

29 Example Implementations
GitHub Dashlet Chatter Dashlet JavaScript Console

30

31

32

33 More Implementations Twitter Dashlets Flickr Dashlets LinkedIn Dashlet
Yammer Dashlet

34 Future OAuth 1.0 Support via Credentials Store
Requires Grant Token support via a custom web script Deprecate client-side Extras.OAuthHelper class Simplify Twitter, LinkedIn, Flickr and Yammer dashlets

35 More Information

36

Download ppt "Consuming OAuth Services in Alfresco Share"

Similar presentations

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.
Overview of Twitter API Nathan Liu. Twitter API Essentials Twitter API is a Representational State Transfer(REST) style web services exposed over HTTP(S).

Overview of Twitter API Nathan Liu. Twitter API Essentials Twitter API is a Representational State Transfer(REST) style web services exposed over HTTP(S).
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
Access Gateway Operation

Access Gateway Operation
Lecture 15 Introduction to Web Services Web Service Applications.

Lecture 15 Introduction to Web Services Web Service Applications.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Similar presentations

Ads by Google