Hi Silvano,
Thanks for sharing your work. Is it already complete or work in progress?
OAuth2 is tricky, as it (the spec and general implementation) leaves out
room for token assertion/validation mechanism, communication between
resource server and auth server, and it's dependent on the authorizing
server so the way facebook, google, github and your private org would do
for example is slightly different. I also think OAuth2 does not do
authentication but only authorization (authentication and authorization
are different) which makes things like tracking deletion/change in user
difficult.
I would recommend you add a spec/design document on cwiki.a.o?
I think if an admin has to add user before OAuth works, it sort of kills
the purpose of OAuth2. So I want to discuss how would you support
creation of users (account, domain, role etc.), handle
deletions/changes, logout etc.
I was going to post a proposal today as well on supporting alternative
auth mechanisms, perhaps refactoring/creating an auth framework for
CloudStack.
JFYI, I'm researching around SAML2 support for ACS and have a document:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin
Will share more details in another thread later today.
Regards.
Silvano Nogueira Buback wrote:
Hi gyus,
I need to implement OAuth2 integration to provide single sign-on with
others tools in my company. I can share this implementation with the
community if you are interested. I suggest these changes in code:
1. Create a new javascript called oauth2.js. This javascript is responsible
for calling the new command called oauthRequestUrl that reads the global
option "oauth2.baseurl" and returns this url plus "/authorize" with oauth2
parameters. After receiving the answer, javascript redirects user to oauth2
server.
2. Once user is authorized by oauth2 server, javascript code reads
parameters in url and call oauthAuthorizeToken command. This command asks
the oauth2 server by the access token, and if everything is ok, calls
"oauth2.credentials.url" about user email and finds this user in the
database, like ldap implementation does and returns authentication data.
3. Javascript fills g_loginResponse with answer from command and user is
logged in.
What do you think about this approach?
---- More details ----
Alternative flows:
* When the url has parameter direct=true, the login dialog is shown.
* When oauth2.baseurl, oauth2.client.id and oauth2.client.secret are not
set (default), oauthRequestUrl returns empty response and OAuth2
authentication is turned off.
* If authorization token is invalid, user is redirected again to oauth2
server.
Commands:
* oauthRequestUrl
* oauthAuthorizeToken
Global Options:
* oauth2.baseurl
* oauth2.client.id
* oauth2.client.secret
* oauth2.credentials.url: defaults to "/oauth2/v2/userinfo"
* oauth2.credentials.parameter.email (defaults to "email")
* oauth2.domainid
Restrictions:
* Domain Id will be a global option
* Users are always redirected to oauth2 server. Access tokens are not
stored.
* Before using Cloudstack, the administrator must insert user in an account.
--
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.ya...@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or opinions
expressed are solely those of the author and do not necessarily represent those of
Shape Blue Ltd or related companies. If you are not the intended recipient of this
email, you must neither take any action based upon its contents, nor copy or show
it to anyone. Please contact the sender if you believe you have received this email
in error. Shape Blue Ltd is a company incorporated in England & Wales.
ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue
is a registered trademark.
