There are a lot of examples of how to use OAuth2 in Dart client-side (in browser), but I can't find any example of how to implement authentication for server-side.
For example, for Node.JS there are frameworks like PassportJS but I can't find anything similar for Dart.
As a use case could be a not SPA project, and I need to provide login to Google/Facebook/Twitter/etc
Can anybody provide any snippet using raw dart:io HttpServer or any server-side frameworks like Start or Bloodless ?
The description says client library but also that it only works with 'dart:io' which means it is for the server
http://pub.dartlang.org/packages/oauth2
and
http://pub.dartlang.org/packages/google_oauth2_v2_api (client and server)
There is also a complete OAuth2 implementation for the Angel framework:
https://github.com/angel-dart/oauth2
The included code abstracts over the OAuth2 transport itself; the storage, database, etc. is up to your choice.
Related
Does Adobe Experience Manager support OAuth 2.0 as a client? I mean AEM connecting with an external application which plays a role of authorization server and resource provider.
I could not find any examples of such usage - AEM is usually presented as an authorization server and resource provider for other client applications.
AEM provides an number of authorization integrations. Maybe you can switch to SAML, which works pretty good out-of-the-box. I once integrated AEM with Keycloak with good results (but using SAML).
Regarding OAuth most documentation is dominated by AEM as an OAuth provider. They integrated Apache Oltu (which is end-of-life anyway).
But AEM provides an OAuth client as well. But it needs a custom extension for each provider. Out-of-the-box are only implementations for Twitter and Facebook available. But there seems also Github and IMS (Identity Management from Adobe Managed Services) to be available.
Please check also Package Share. But I don't know what is available there. And you probably need support from Adobe, to judge the quality and usefulness of such packages.
If you have to implement your own Provider-Extension, the best starting point I found was here:
https://aemcorner.com/adobe-granite-oauth-authentication-handler/
You are basically free to build whatever you want, as AEM is basically nothing else but a Java application. But you might want to keep in mind, that the standard applications of AEM are delivering rendered HTML from the dispatcher in the end. You want to have as little load on the publishers as possible.
So, when authorisation of resources is a technical- or business concern, you might need to dive deeper into SPAs or at least async loading of resources as JSON.
I am trying to create a Dart server that watches a Firebase path. There is a Firebase package in Pub, it is a wrapper for the Javascript library. The instructions for installing the library say:
The firebase.js library MUST be included for the wrapper to work:
I can see how this would work with a client-side Dart application, but how can I use the Firebase Javascript library from a Dart server?
The library you reference (firebase.dart) is purely for client-side usage. For server-side usage, Firebase offers a REST API. There are helper libraries for many languages, but not for Dart as far as I know. As it's REST, it seems to be very easy to interact with Firebase endpoints to get and put data.
You'll want to set up an HttpServer, of course, and then it's a matter of interacting with the Firebase endpoints using http.put and http.read.
Firebase's server-side streaming support via its REST API seems more involved. There doesn't seem to be many Dart folks using Firebase, certainly not the server-side stuff, and so you'll just have to work through getting your server to interact as the docs explain.
(If I get to that point myself, I'll report back and share my code, though all I care to do at the moment on the server is save some data from a Facebook authentication callback URL which my server reads in. Everything else Firebase is on the client side for me.)
I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.
I am building a REST API using Grails. I want it to be protected using OAuth2.0 client_credentials flow(grant_type). My use-case is as follows:
a external agent will send a request to something like
http://server-url/oauth/token?client_id=clientId&client_secret=clientSecret&grant_type=client_credentials
and obtain a access_token. Then, my URL(protected resource) should be accesible with something like
http://server-url/resource?access_token={access-token obtained before}
I am looking for something that makes doing this on Grails easy and quick. What will be the best way/tool/plugin to use for this ? Scribe library is an option, if there are any tutorials for my specific use-case, it will be great.
P.S.: I have tried the spring-security and related plugins, no joy there. Any alternatives would be nice.
I have the same issue. I found a lot of grails plugins that helped you authenticate your app against other oauth providers, but nothing that would help me make my app the oauth provider. After a lot of digging, I came across this grails plugin that will do exactly what you want.
https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider
I'm still configuring it for my application, and I think the docs might need a few edits (specifically the authorization_code flow) but I got the simple client_credentials flow to work with minimal configuration. Hope that helps!
Based on my experiences, Scribe was built for OAuth 1.0 and has only very limited support for OAuth 2.0. In fact, for testing our own OAuth 2 implementation, all we could use from it was an HTTP request wrapper, we had to do anything else manually. Fortunately, doing it manually is suprisingly easy.
Since I still haven't found a fine open OAuth 2.0 library for Java (frankly I'm not familiar with Groovy), I encourage you to write the client code for yourself. You don't even need a client callback endpoint to use the client credentials grant flow. So you simply create an HTTP request (as you've written above already, take care to escape the GET parameters though) and get the response content. Your flow does not use redirects, so simply parse the JSON object in the response content, e.g. with the org.json library. Finally, send an HTTP request using the extracted access token.
Note that your examples are not completely standard compliant. The standard requires using HTTPS, sending the token in an HTTP header instead of a GET parameter and suggests using a HTTP basic authorization header instead of GET parameters to specify client credentials.
I may have misunderstood your question, and you may want to implement the server side, too. The scribe library supports only client side, so you can find a commercial implementation or implement your own server. It is a complex task, but if you support only the client credentials flow, it almost becomes easy. ;-)
This isn't a plugin, it's just a sample Grails application that acts as an OAuth provider. It was really easy to get up and running with Grails 3.
https://github.com/bobbywarner/grails3-oauth2-api
I'm mildly familiar with DotNetOpenAuth and OAuth in general, but in terms of Web API development, what is the best way to lock down a web service in terms of the following criteria:
Ease of implementation
Interoperability/compatibility with end-user facing platforms (iOS, Android, Win Phone, Flex...)
Whether or not it is clearly standards-based (like OAuth for example)
Thanks!
please take a look here: OAuth 2.0 in Web API
Inside the WebApiContrib project there are also Basic Authentication samples which is straight forward but it should not be used without SSL.
The DotNetOpenAuth .zip download includes a sample WCF service that is protected by OAuth.
There are a couple of wcf web api implementation to handle authentication on internet. I have done one as well # http://misaxionsoftware.wordpress.com/2011/07/29/secure-restful-web-service-by-wcf-web-api-no-https-seriously/
Note: code is based on Preview 3, some class name has changed in Preview 5.
The idea of implementation is ensure secured communication without SSL.
It's easy to construct. The function is transparent to your service because all the work is done in message handler. You don't bother to call the authenticate function in your service method.
Compatible with end-point where RSA encryption is supported.
Standards-based, hmm... Standards varies from case to case...