rest oauth2 server

Rest OAuth2 Server is a Rails 3 app that let you open up your API and manage end-user authentication and client application authorization implementing the OAuth 2.0 Specifications (draft 13).

279
46
Ruby

= Rest OAuth 2.0 Server is dead

We are sorry to annunce that due to a lack of time rest oauth2 server is now without a mantainer. For this
reason we call the project dead and we suggest you to use more solid solution such as
{Doorkeeper}[https://github.com/applicake/doorkeeper] or {oPRO}[https://github.com/opro/opro].
Anyway, we still think this project can be helpful to understand how a OAuth2 server works so if interested in that
checkout the code and the whole documentation. It was really nice to have such good people collaborating on this project.

P.S. If you are interested about becoming the new mantainer of this project write us.

{The Lelylan Team}[http://lelylan.com]

= Desription

Rest OAuth 2.0 Server is a project that easily allows the generation of an OAuth 2.0 Server following the {draft 13}[http://tools.ietf.org/html/draft-ietf-oauth-v2-13]
of the OAuth 2.0 protocol with {bearer tokens}[http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-02]. The spec
is close to settling down, and we intend to update our code to match the final OAuth 2.0 and bearer token standards.
OAuth has often been described as a “valet key for the web.” It lets applications ask users for access to just the
data they need and no more, giving them the ability to enable and disable the accesses whenever they want, most of
the time without sharing their secret credentials.

= Installation

For the Rest OAuth 2.0 Server to work you need to have

To install the project run the following commands (remember to run $ mongod before)

$ git clone [email protected]:lelylan/rest-oauth2-server.git
$ cd rest-oauth2-server
$ bundle install
$ rake spec
$ rails s

If everything works fine, you have your OAuth 2.0 Server up and running! We are also working at a gem and a
generator to easily integrate the Rest OAuth 2.0 server into your project, so stay tuned.

== Admin user definition

When accessing the application for the first time, click to sign up. A message will ask you to create the first
administrator user as no one have been found.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/first-user-creation.png

Register, log in and access the admin dashboard where you will find the following sections.

  • Users: list with all registered users.
  • Scopes: authorization scopes administration.
  • Accesses: clients that access the user’s data.
  • Clients: registered clients (third party application)

While the Users and Scopes sections are visible only to the admin, Accesses and Clients are available to every
registered user, also the ones that will grant access for their resources. To better understand what you can do
explore the Dashboard and read the following sections.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/admin-dashboard.png

== Scopes explained

In a short way, scopes tell you what can and can’t be accessed. The Rest OAuth 2.0 Server ships with a
flexible and powerful scope system which can be dynamically built.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/scopes.png

To create a new scope click Create a new scope and you will get a simple form with two fields

  • Name: unique alphanumeric key that identify a scope.
  • Values: list of space separated alphanumeric strings, each of one refers to an action (built following the convention {controller name}/{action name}) or to an existing scope name.

Going a bit deeper you can define the accessible actions in two ways.

=== Action specific values

You can specify any action present in your rails app. For example if you want to allow the access to the action
create in the controller pizzas you just add the string “pizzas/create”. Here you can see an example on defining the
access to all RESTful actions in a sample pizzas controller.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/pizzas-scope.png

=== Scope name values

You can specify any group of actions adding a name scope. For example if the scope pizzas allows the access to all
actions in the pizzas controller and the scope pastas allow the access to all actions in pastas controller, then the
“all” "cope could have as values the list “pizzas pastas”

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/all-scope.png

== Protect your resources

After scopes are defined there is one more step. You need to protect the actions you want to authorize. To do thi
add the filter oauth_authorized in any controller you want to protect.

class PizzasController < ApplicationController
before_filter :oauth_authorized

This filter verify if the client can access the specific action, regarding the scope that has been granted from the user.
You can also decide to protect all of your resources (they must accept JSON format) by uncommenting oauth_authorized
line in the {ApplicationController}[https://github.com/Lelylan/rest-oauth2-server/blob/master/app/controllers/application_controller.rb].

Last, you can make some actions public by using the exclude option.

before_filter :oauth_authorized, except: %w(index, show)

== Client definition

Every registered user can define a client (third party application). To do this access the dashboard and create your first
client filling these fields.

  • Name: client name.
  • Siti URI: client web site URI.
  • Redirect URI: client redirect URI, used as callback after the user grant or deny the access.
  • Scope: one or more scope names, separated by spaces (limit the possible accesses a client can have). By default a
    scope named “all” is set as default. For this reason follow the convention to call “all” the scope that give all accesses.
  • Info: additional information.

Once the client is create the additional field client uri and secret are generated. You will use these info
later on, during the authorization flows.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/client-show.png

If you define a scope named all you can use one more functionality. You can click the button Simulate Authorization
that you can find in the end of the client detail page, and you will see the authorization page that a user would normally see
when granting access to a client.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/authorization.png

=== Block clients

The admin can access to all created clients and decide to block any of them, meaning all related access tokens are disabled.
This is pretty useful in cases where a client is considered “not safe”. When a client is blocked every authorization request
will be disabled, until the admin unblock it.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/block-clients.png

== Granted Clients (aka accesses)

Once users grant the access to their resources, the accesses list is updated. Here a user can see which clients are accessing
their resources, and with which frequency. One important functionality lies on the possibility for a user to block a specific
client, whenever it is considered “not safe”.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/access.png

= OAuth 2.0 flows explained

Today Rest OAuth 2.0 Server supports three flows of OAuth 2.0

== OAuth 2.0 for server-side web applications

This flow is meant for web applications with servers that can keep secrets and maintain state.

The server-side flow has two parts. In the first part, your application asks the user for permission to access
their data. If the user approves, instead of sending an access token directly as in the client-side flow, the
Rest OAuth 2.0 Server will send to the client an authorization code. In the second part, the client will POST
that code along with its client secret to the Rest OAuth 2.0 Server in order to get the access token.

=== Getting an access token

This flow begins by sending the user to the authorization endpoint /oauth/authorization
with the following query parameters

  • response_type (REQUIRED): always use “code” as response type
  • client_id (REQUIRED): client identifier (the URI of the client model)
  • redirect_uri (REQUIRED): callback URI to the client application
  • scope (REQUIRED): privileges given to the client
  • state (OPTIONAL): opaque value used by the client to maintain state between the request and callback

Here’s an example URL for a hypothetical app called “Example App” running on https://www.example.com

http://localhost:3000/oauth/authorization?
response_type=code&
client_id=http://localhost:3000/clients/a918F2fs3&
redirect_uri=httsp://www.example.com/callback&
scope=write&
state=2af5D3vds

And this is what you should see.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/authorization.png

After the user approves access or chooses not to, we’ll redirect to the redirect_uri you pass us. If the
user denies access, an error code is appended:

https://example.com/callback?error=access_denied&state=2af5D3vds

If the user approves access will be appended an authorization code in the query string of the URL:

https://example.com/callback?code=g2VDXwrT0S6iZeUeYQBYi2stxRy&state=2af5D3vds

Now, the client reached through the redirect_uri should swap that authorization code for an access token by POSTing
it along the following params to the token endpoint /oauth/token using the JSON format.

  • code (REQUIRED): authorization code (from the previous step)
  • grant_type (REQUIRED): always use “authorization_code” as grant type
  • client_id (REQUIRED): client identifier (in our case is the uri field of the client)
  • client_secred (REQUIRED): client secret code

Using curl the request might look like:

curl -i http://localhost:3000/oauth/token
-H “Accept: application/json”
-X POST -d ‘{
“code”: “g2VDXwrT0S6iZeUeYQBYi2stxRy”,
“grant_type”: “authorization_code”,
“client_id”: “http://localhost:30000/clients/a918F2fs3”,
“client_secret”: “a34a7afe4731e745de9d61iZeUeY”
}’

The response is a JSON Object containing the access token:

{
“access_token”: “SlAV32hkKG”,
“expires_in”: 1800,
“refresh_token”: “Da8i1930LSj”
}

=== Getting additional access tokens

When your access token expires, Rest OAuth 2.0 Server API endpoints will respond with HTTP 401 Unauthorized. At any time,
you can use the token endpoint with your refresh token with the following query parameters

  • grant_type (REQUIRED): always use “refresh_token” as grant type
  • client_id (REQUIRED): client identifier (in our case is the uri field of the client)
  • client_secred (REQUIRED): client secret code
  • refresh_token (REQUIRED): refresh token previusly received

Using curl the request might look like:

curl -i http://localhost:3000/oauth/token
-H “Accept: application/json”
-X POST -d ‘{
“grant_type”: “refresh_token”,
“refresh_token”: “Da8i1930LSj”,
“client_id”: “http://localhost:30000/clients/a918F2fs3”,
“client_secret”: “a34a7afe4731e745de9d61iZeUeY”
}’

The response is a JSON Object containing the new access token.

{
“access_token”: “AlYZ892hsKs”,
“expires_in”: 1800,
“refresh_token”: “Da8i1930LSj”
}

=== Going deep

If you are curious and you want to find more check the {acceptance}[https://github.com/Lelylan/rest-oauth2-server/blob/master/spec/acceptance/oauth/oauth_authorize_controller_spec.rb]
{tests}[https://github.com/Lelylan/rest-oauth2-server/blob/master/spec/acceptance/oauth/oauth_token_controller_spec.rb]
in the authorization token flow and refresh token context.

== OAuth 2.0 for client-side web applications

This flow is meant for JavaScript-based web applications that can’t maintain state over time (it includes also ActionScript
and SilverLight).

=== Getting a user’s permission

This flow begins by sending the user to the authorization endpoint /oauth/authorization
with the following query parameters

  • response_type (REQUIRED): always use “token” as response type
  • client_id (REQUIRED): client identifier (the uri of the client model)
  • redirect_uri (REQUIRED): callback URI to the client application
  • scope (REQUIRED): privileges given to the client
  • state (OPTIONAL): opaque value used by the client to maintain state between the request and callback

Here’s an example URL for a hypothetical app called “Example App” running on https://www.example.com

http://localhost:3000/oauth/authorization?
response_type=token&
client_id=http://localhost:3000/clients/a918F2fs3&
redirect_uri=httsp://www.example.com/callback&
scope=write&
state=2af5D3vds

And this is what you should see.

http://github.com/Lelylan/rest-oauth2-server/raw/development/public/images/screenshots/authorization.png

After the user approves access or chooses not to, we’ll redirect to the redirect_uri you pass. If the
user denies access, an error code is appended:

https://example.com/callback#error=access_denied&state=2af5D3vds

If the user approves will be appended an access token in the hash fragment of the UR:

https://example.com/callback#token=g2VDXwrT0S6iZeUeYQBYi2stxRy&expires_in=1800&state=2af5D3vds

JavaScript running on that page can grab that access token from the window.location.hash and either store it in a
cookie or POST it to a server. Note that the token is added to the {fragment URI}[http://en.wikipedia.org/wiki/Fragment_identifier].
This is done because the fragment URI can not be read from server side, but only from client-based applications.

=== Getting additional access tokens

When your access token expires, our API endpoints will respond with HTTP 401 Unauthorized. At any time, you can send
your user to the same authorization endpoint you used in the previous step. If the user has already authorized your
application for the scopes you’re requesting, Rest OAuth Server won’t show the OAuth dialog and will immediately redirect
to the redirect_uri you pass us with a new access token.

=== Going deep

If you are curious and you want to find more check the {acceptance tests}[https://github.com/Lelylan/rest-oauth2-server/blob/master/spec/acceptance/oauth/oauth_authorize_controller_spec.rb]
in the implicit token flow and refresh implicit token flow context.

== OAuth 2.0 for native applications

This flow is meant for mobile, and desktop installed applications that want access to user data (native apps).

This flow is suitable in cases where the resource owner has a trust relationship with the client, such as its computer operating
system or a highly privileged application. The authorization server should take special care when enabling the grant type, and
only when other flows are not viable, because username and password are shared with the client.

=== Getting an access token

The client should POST to the token endpoint /oauth/token along with the following params
using the JSON format:

  • grant_type (REQUIRED): always use “password” as grant type
  • username (REQUIRED): resource owner email address
  • password (REQUIRED): resource owner password
  • client_id (REQUIRED): client identifier (the uri of the client model)
  • redirect_uri (REQUIRED): callback URI to the client application
  • scope (REQUIRED): privileges given to the client

Using curl the request might look like:

curl -i http://localhost:3000/oauth/token
-H “Accept: application/json”
-X POST -d ‘{
“grant_type”: “password”,
“client_id”: “http://localhost:3000/clients/a918F2fs3”,
“client_secret”: “a34a7afe4731e745de9d61iZeUeY”,
“username”: “[email protected]”,
“password”: “example”,
“scope”: “write”
}’

The response is a JSON Object containing the access token:

{
“access_token”: “AlYZ892hsKs”,
“expires_in”: 1800,
“refresh_token”: “Da8i1930LSj”
}

=== Getting additional access tokens

When your access token expires, Rest OAuth 2.0 Server API endpoints will respond with HTTP 401 Unauthorized. At any time,
you can use the token endpoint with your refresh token with the following query parameters

  • grant_type (REQUIRED): always use “refresh_token” as grant type
  • client_id (REQUIRED): client identifier (in our case is the uri field of the client)
  • client_secred (REQUIRED): client secret code
  • refresh_token (REQUIRED): refresh token previusly received

Using curl the request might look like:

curl -i http://localhost:3000/oauth/token
-H “Accept: application/json”
-X POST -d ‘{
“grant_type”: “refresh_token”,
“refresh_token”: “Da8i1930LSj”,
“client_id”: “http://localhost:30000/clients/a918F2fs3”,
“client_secret”: “a34a7afe4731e745de9d61iZeUeY”
}’

The response is a JSON Object containing the new access token.

{
“access_token”: “AlYZ892hsKs”,
“expires_in”: 1800,
“refresh_token”: “Da8i1930LSj”
}

=== Going deep

If you are curious and you want to find more check the {acceptance tests}[https://github.com/Lelylan/rest-oauth2-server/blob/master/spec/acceptance/oauth/oauth_token_controller_spec.rb]
in the password credentials flow and refresh token context.

= How to use Access Token

To make API requests on the behalf of a user, pass the OAuth token in the query string, as a header, or as a parameter
in the request body when making a POST request.

Query string example.

GET /pizzas?token=AlYZ892hsKs

Header example.

GET /pizzas
Authorization: OAuth2 AlYZ892hsKs

Request body example.

POST /pizzas
token=AlYZ892hsKs&…

Note that all requests must be done using HTTPS.

= Miscellaneous

== OAuth 2.0 options

Rest OAuth 2.0 Server allows you to personalize some options changing {oauth.yml}[https://github.com/Lelylan/rest-oauth2-server/blob/master/config/oauth.yml]

  • token_expires_in: define the seconds after which the access token expires.
  • authorization_expires_in: define the seconds after which the authorization code expires.
  • secure_random: define the lenght of tokens, code and secret keys.
  • scope_separator: define the separator used between different scope keys.

== OAuth 2.0 Models

Rest OAuth 2.0 Server is working on top of 5 models. They are pretty simple so if you want to have more information about
them, check the source code, which is clearly documented.

== Basic authentication system

In addition to the models above there is a basic authentication system

This model is kept simple on purpose, but you can easily change it with the authentication system you prefer like {Authlogic}[https://github.com/binarylogic/authlogic],
{Devise}[https://github.com/plataformatec/devise] or {Warden}[https://github.com/hassox/warden]. Just remember that your user model must
define an uri field, which is used as identifier on the OAuth 2.0 flows. Any help on integration is appreciated.

== Blocking system explained

One important feature lie in the ability of to block a client. Rest OAuth 2.0 server enables you two possibilities:

  • Client block via client.block!: used to block a not safe client for all users.
  • User block a client via access.block!: used when a user want to revoke any access to his resources to a specific client.
  • User block an access token via token.block!: used when a user logout from the client and want to revoke the token access.

In the first two cases it is possible to unblock the client using the unblock! method.

== Testing solutions

Tests are made using {Steak}[https://github.com/cavalle/steak], {Capybara}[https://github.com/jnicklas/capybara]
and {RSpec}[https://github.com/rspec/rspec-rails]. If you want to know more check the tests about {models}[https://github.com/Lelylan/rest-oauth2-server/tree/development/spec/models]
and {acceptance tests}[https://github.com/Lelylan/rest-oauth2-server/tree/development/spec/acceptance].

= Other OAuth2 documentation

If the way OAuth2 works is not clear, you can find great documentation on the web.

= Other OAuth2 Ruby Implementations

= Contributing

Follow {MongoID guidelines}[http://mongoid.org/docs/contributing.html]

= Authors

{Andrea Reginato}[mailto:[email protected]] &
{The Lelylan Team}[http://lelylan.com]

A special thanks to the OAuth 2.0 specification team, to the Flowtown Rack Oauth2 Server which gave the
initial ideas of the project and to Google OAuth 2.0 specification for making them so clear to understand.

= Changelog

See {CHANGELOG}[link:blob/master/CHANGELOG.rdoc]

= License

Rest OAuth 2.0 Server is available under the MIT license.