Is there are good open source Swagger 2.0 spec for OAuth 2 Authorization code flow that I could use in my project? Or a swagger spec for OpenID Connect flow.
I ended up creating my own OpenAPI spec for endpoints used in OAuth2 Authorization Code grant: https://github.com/fed239/oauth2-swagger/blob/master/oauth2-authorization_code.yaml
Related
I was just looking at Spring Authorization Server and noticed that it mentions OAuth 2.1.
What are the differences between OAuth 2.0 and 2.1?
The OAuth 2.1 specification is currently in draft state. Because of that it currently not clear what will be the final differences.
See current draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05
Excerpt from the current draft:
This draft consolidates the functionality in OAuth 2.0 [RFC6749],
OAuth 2.0 for Native Apps ([RFC8252]), Proof Key for Code Exchange
([RFC7636]), OAuth 2.0 for Browser-Based Apps
([I-D.ietf-oauth-browser-based-apps]), OAuth Security Best Current
Practice ([I-D.ietf-oauth-security-topics]), and Bearer Token Usage
([RFC6750]).
Where a later draft updates or obsoletes functionality found in the
original [RFC6749], that functionality in this draft is updated with
the normative changes described in a later draft, or removed
entirely.
A non-normative list of changes from OAuth 2.0 is listed below:
The authorization code grant is extended with the functionality
from PKCE ([RFC7636]) such that the default method of using the
authorization code grant according to this specification requires
the addition of the PKCE parameters
Redirect URIs must be compared using exact string matching as per
Section 4.1.3 of [I-D.ietf-oauth-security-topics]
The Implicit grant (response_type=token) is omitted from this
specification as per Section 2.1.2 of
[I-D.ietf-oauth-security-topics]
The Resource Owner Password Credentials grant is omitted from this
specification as per Section 2.4 of
[I-D.ietf-oauth-security-topics]
Bearer token usage omits the use of bearer tokens in the query
string of URIs as per Section 4.3.2 of
[I-D.ietf-oauth-security-topics]
Refresh tokens for public clients must either be sender-
constrained or one-time use as per Section 4.12.2 of
[I-D.ietf-oauth-security-topics]
See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-10
I want to create a specification of an HTTP RESTful API in OpenAPI.
Since authorization and authentication are strict requirements and I don't have HTTPS security, it seems to me that the only available HTTP authentication scheme is HOBA (https://www.rfc-editor.org/rfc/rfc7486).
How do I describe HOBA with Swagger editor or e.g., Stoplight Studio or similar editor?
When I am trying to understand OAuth2 client, I am confused about why we have two different filters
I attempted to integrate with Github. Here are my observations
OAuth2AuthorizationCodeGrantFilter sound like a filter that exchanges authorization code for access token, but when I keep debug point it does not do that
OAuth2LoginAuthenticationFilter sounds somewhat like it does login somehow, but this filter exchanges auth code to access token instead of above
I'm not sure why this is the case, as the first class name implies some strong correlation to authorization code
Also, Whats is the difference between OAuth2LoginConfigurer & OAuth2ClientConfigurer
Looks like OAuth2LoginConfigurer configures OAuth2LoginAuthenticationFilter, while OAuth2ClientConfigurer configures OAuth2AuthorizationCodeGrantFilter
Can someone explain what each of them does & in which scenarios they are applicable?
Thanks
This is well documented in the Spring Security reference.
OAuth 2.0 Login
OAuth 2.0 Client
As well, in the javadoc:
OAuth2LoginAuthenticationFilter
OAuth2AuthorizationCodeGrantFilter
At a high level:
http.oauth2Login() is an implementation of OpenID Connect Authentication using the Authorization Code Flow
http.oauth2Client().authorizationCodeGrant() is an implementation of OAuth 2.0 Authorization Code grant
We have use case where we need show user credential params such as username and password and based on user name value and password validation on backend side we have to render swagger APIs.
Not able to figure out how i can render swagger APIs based on result of authentication result.
Any pointer will be highly appreciated.
You didn't mention which version of swagger you are using, but it looks like there is support for protecting endpoints via some kind of authentication using Swagger 2.0 and 3.0.
From the 2.0 docs:
Swagger 2.0 lets you define the following authentication types for an API:
Basic authentication
API key (as a header or a query string parameter)
OAuth 2 common flows (authorization code, implicit, resource owner password credentials, client credentials)
From the 3.0 docs:
OpenAPI uses the term security scheme for authentication and authorization schemes. OpenAPI 3.0 lets you describe APIs protected using the following security schemes:
HTTP authentication schemes (they use the Authorization header):
Basic
Bearer
other HTTP schemes as defined by RFC 7235 and HTTP Authentication Scheme Registry
API keys in headers, query string or cookies
Cookie authentication
OAuth 2
OpenID Connect Discovery
Each of those sets of documents has links to examples and further documentation.
I have accessed Netsuite in two ways.
1.Using Credentials without Restlet
2.Using Oauth with Restlet
But I searched code everywhere to connect Netsuite using Oauth without Restlet. i could not get anywhere.
Now i confused that whether Netsuite allowed to access using Oauth with Restlet only or not.
Help me to do further step. If there is a possibility to access Netsuite using Oauth without Restlet , Give me the code.
Thanks in Advance....
The code example is in the SuiteAnswer Id 44710 (You will need to login into NetSuite to read this)
The code example is in Java
You need to write:
1) logic to compute Hash (you can use javax.crypto package)
2) logic to compute signature using #1 and netsuite account and token details
3) you need to add the signature in SOAP token passport header