How to change the basic authentication to OAuth 2 authentication

leonli · July 26, 2023, 3:08am

Hi,

I created a lyo test application with the OSLC Refimpl Github(refimpl/src/server-cm at master · oslc-op/refimpl · GitHub) as a base. I could run it in my local, and when I tried to visit Service Provider Catalog(http://localhost:8801/services/catalog/singleton), it would pop up a login box asking me to login, I checked the code and found that because the CredentialsFilter validates the the request token or checks the Application Connector session, and then the sendUnauthorizedResponse method(refimpl/src/server-cm/src/main/java/co/oslc/refimpl/cm/gen/auth/AuthenticationApplication.java at master · oslc-op/refimpl · GitHub) in the AuthenticationApplication class will trigger the event of the login box.

I noticed this is a basic authentication, and the code

response.addHeader(WWW_AUTHENTICATE_HEADER, OAUTH_AUTHENTICATION_CHALLENGE);

seems to accept OAuth authentication, but it doesn’t seems to work here.

I want to modify to use OAuth2 login authentication, I already set up an OAuth server now, how should I do here?

leonli · July 26, 2023, 9:06am

Should I redirect to OAuth login page here? As far as I know there will be an authorization process when a user logs in successfully, the key is the authorization process cannot be done in the iframe.

Any thoughts?

jad · July 27, 2023, 5:20am

hi @leonli

So, indeed, the generated code supports Basic authentication, and OAuth 1 authentication.
With OAuth1, it even acts as a Provider, in that (through the Lyo-oauth libraries) it handles the whole authentication process, as well as provid the necessary access tokens.

Lyo does not deal with the oauth2 authentication.
Even if/when it does, it will not act as a oauth(2) provider. It should just integrate well with such a provider.

It is quite tricky to make things work with Basic, oauth1 & ouath2. Is it a must? Can you be satisified with just oauth2?

If yu just want oauth2, consider simply replacing the current credentalsFilter to make things work with oauth2 - like any other web application.

Note that if you plan to integrate with any standard Jazz-applications (and at least Siemens’s Polarion or Teamcenter), you will need to deal with oauth1 as well.

leonli · July 31, 2023, 2:10am

Hi @jad

I just wanted to integrate with the OAuth2, I have implemented a new filter to check the access token and http login session.
I followed all the access token and login session handling process in the Refimpl project(https://github.com/oslc-op/refimpl/tree/master/src/server-cm)

My problem is, for example, when the client uses a creator dialog for the first time, the filter checks the login session, if the session value is null, then it directs to OAuth2 login page(just like the server-cm project uses the basic authentication to pop up the login dialog), where I enter the username(email) and password, it will go to the User Consent page(this is the oauth2
login process). But this all happens in the client iframe page, and the User Consent step cannot be done in the iframe.
That’s my problem, I don’t know how to deal with this process, is there anything wrong? Can you give me any suggestion?

andrew · July 31, 2023, 10:39am

If your OAuth 2 provider blocks iframes, you have to put a target=“_blank” login link in your iframe, just like how Jazz does it. The final redirect in this new tab would be “login successful, you can now close this tab.”