Hi gyus,
I need to implement OAuth2 integration to provide single sign-on with
others tools in my company. I can share this implementation with the
community if you are interested. I suggest these changes in code:
1. Create a new javascript called oauth2.js. This javascript is responsible
for calling the new command called oauthRequestUrl that reads the global
option "oauth2.baseurl" and returns this url plus "/authorize" with oauth2
parameters. After receiving the answer, javascript redirects user to oauth2
server.
2. Once user is authorized by oauth2 server, javascript code reads
parameters in url and call oauthAuthorizeToken command. This command asks
the oauth2 server by the access token, and if everything is ok, calls
"oauth2.credentials.url" about user email and finds this user in the
database, like ldap implementation does and returns authentication data.
3. Javascript fills g_loginResponse with answer from command and user is
logged in.
What do you think about this approach?
---- More details ----
Alternative flows:
* When the url has parameter direct=true, the login dialog is shown.
* When oauth2.baseurl, oauth2.client.id and oauth2.client.secret are not
set (default), oauthRequestUrl returns empty response and OAuth2
authentication is turned off.
* If authorization token is invalid, user is redirected again to oauth2
server.
Commands:
* oauthRequestUrl
* oauthAuthorizeToken
Global Options:
* oauth2.baseurl
* oauth2.client.id
* oauth2.client.secret
* oauth2.credentials.url: defaults to "/oauth2/v2/userinfo"
* oauth2.credentials.parameter.email (defaults to "email")
* oauth2.domainid
Restrictions:
* Domain Id will be a global option
* Users are always redirected to oauth2 server. Access tokens are not
stored.
* Before using Cloudstack, the administrator must insert user in an account.
