Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[request] OAuth2 plugin #169

Closed
patolo opened this issue Apr 28, 2015 · 32 comments
Closed

[request] OAuth2 plugin #169

patolo opened this issue Apr 28, 2015 · 32 comments
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. plugins/oauth2
Milestone

Comments

@patolo
Copy link

patolo commented Apr 28, 2015

I guess you don't want a UI but is there any plans on Oauth2 authentication?

@sonicaghi
Copy link
Member

Yes

@sonicaghi sonicaghi added the idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. label Apr 28, 2015
@lookfirst
Copy link
Contributor

oauth

@dmyers
Copy link

dmyers commented Apr 28, 2015

👍

1 similar comment
@PierreKircher
Copy link

+1

@nijikokun
Copy link
Contributor

Yes, OAuth is a planned and upcoming plugin.

@thibaultcha thibaultcha changed the title Oauth2 [request] OAuth2 plugin Apr 29, 2015
@damonpetta
Copy link

+1

4 similar comments
@patolo
Copy link
Author

patolo commented Apr 29, 2015

+1

@bkleef
Copy link

bkleef commented Apr 29, 2015

+1

@melihmucuk
Copy link

+1

@orliesaurus
Copy link

+1

@tanaydin
Copy link

tanaydin commented May 8, 2015

+1 * 100

@mtwilliams
Copy link

👍

1 similar comment
@tomharper
Copy link

+1

@samgaw
Copy link

samgaw commented May 17, 2015

@nijikokun Is there a timeframe on when the plugin will be released?

@sonicaghi
Copy link
Member

@samgaw here the plan for the coming 0.3 https://github.com/Mashape/kong/milestones/0.3.0

@sonicaghi
Copy link
Member

OAuth support in the 0.4

@sonicaghi sonicaghi added this to the 0.4.0 milestone Jun 6, 2015
@vnataraj
Copy link

vnataraj commented Jun 8, 2015

+1 and I think it'd be awesome if it supports multiple grant types(implicit, authorization code, etc)

@subnetmarco
Copy link
Member

In the first implementation of the OAuth 2.0 plugin I would like to support the following grant types:

  • authorization_code (with support for the implicit grant)
  • client_credentials

And support for refresh tokens.

@nijikokun
Copy link
Contributor

I would suggest doing the basic grant types:

  • Implicit (Browser enabled authentication)
  • Resource Owner (Device and first-party, think internal or between devices)
  • Authorization (Application flow)
  • Authorization Code (See above)
  • Client Credentials

@subnetmarco
Copy link
Member

Here are a few considerations on this plugin and a possible implementation flow. Let's consider a typical three-legged flow:

  1. A client application wants to access to third-party user data
  2. The user is redirect to the third-party service to authorize the application
  3. If not logged in, the user needs to login
  4. After logging in, the user can authorize the client application to access his data
  5. An authorization code is being generated, and the user is redirected to a redirect_uri
  6. The client application reads the code, and makes a request to retrieve an access_token
  7. The authorization code is successfully exchanged for an access_token
  8. The client application can start making API requests on behalf of the user by passing the access_token on every request.

Here is the workflow:

oauth flow

Login Authentication Issue

The OAuth 2.0 plugin on Kong will store all the client applications, authorization codes and access tokens inside Kong. Kong will be the only authority storing, creating and expiring this data.

What Kong can't do is authenticate the user to make sure he's logged in, because Kong doesn't integrate with an existing Login system that the third-party service uses. This means that the third-party service needs to make sure the user is logged in before starting the OAuth authorization flow.

This also means that the authorization process needs to be implemented in the third-party service frontend (to show the page that shows which scopes to accept), and backend (to securely provision an authorization code. This are steps 2-7 in the workflow above. If the authorization service wasn't implemented this way, then any client application could issue authorization codes without effectively making sure the user is logged in (and without possibly associating any user to the final access_token.

From a technical perspective, the step 5 sends the following data to Kong:

POST /oauth2_authorization HTTP/1.1
Host: kong:8001
Accept: application/json
Content-Type: application/x-www-form-urlencoded

client_id=VALUE&response_type=code&scope=email&state=VALUE&authenticated_userid=VALUE&authenticated_username=VALUE&provisioning_key=VALUE
Parameter Description
client_id The OAuth 2.0 client ID
response_type The OAuth 2.0 response type
scope The OAuth 2.0 scope
state The OAuth 2.0 optional state
authenticated_userid The logged user ID that is authorizing the client, that will be appended in a header to the final API requests
authenticated_username The optional logged in username that is authorizing the client, that will be appended in a header to the final API requests
provisioning_key An unique secret key that authorizes the third-party service to provision OAuth 2.0 authorization codes on behalf of the final API on Kong

This operation returns something like:

{
    "redirect_uri": "http://some/uri?code=ao182oin1kone9ah89shdansda"
}

The redirect_uri is where the third-party service webapp will redirect the user after authorizing the application to access his data.

Every other step is a regular OAuth 2.0 flow between the client and Kong.

What the user needs to build to support OAuth ?

  • The login page (that he already has).
  • The authorization page (an HTML page - the OAuth 2.0 plugin could provide a javascript helper for building this page)
  • The backend flow to process the form submit, executing a POST request to Kong and redirecting the user to the redirect_uri URI if the provisioning succeeds.

Thoughts?

@nijikokun
Copy link
Contributor

@thefosk yes this is the generally accepted method of approaching this issue

@ahmadnassri
Copy link
Contributor

perhaps it's better to prefix this comment with clarification:

this is only the context of using Kong in-front of your web application and outsourcing the oauth authentication flow to Kong only

generally speaking, everything before step 5 Kong shouldn't care about.

step 5 is between the service provider server (Kong owner) and Kong, (creating an access token) which is then passed to the web application.

from step 6 and onwards, its communication between an application / server and Kong oauth flows directly.

so, to simplify this:

Q1: What does the Kong user needs to build to support OAuth?
A: integrate with Kong API to create authentication keys

**Q2: What does the application developer need to build to use OAuth with Kong?**A:** follow standard oauth application flows.

to that end, perhaps we should create a simple documentation to be used by Kong users to expose to their application developers (which is just the oauth2 flows spec)

@sonicaghi
Copy link
Member

PR in the works here #341

@samgaw
Copy link

samgaw commented Jun 19, 2015

My understanding of the project's goals was to essentially glue various internal APIs and microservices together. Within the scope of that context, does it not make sense for an OAuth plugin to focus on Kong acting as the provider rather than looking at 3rd party providers beyond the edge?

@ahmadnassri
Copy link
Contributor

@samgaw that's exactly what this plugin would be, Kong as the oAuth provider on the edge (or internal if used as such).

@sonicaghi
Copy link
Member

You can find OAuth2 here: http://getkong.org/plugins/oauth2-authentication/

@subnetmarco
Copy link
Member

Hey guys, the 0.4.0 is out with OAuth 2.0 plugin support (http://getkong.org/plugins/oauth2-authentication/). Try it and break it :)

@samgaw
Copy link

samgaw commented Jul 23, 2015

Cheers Marco. Docs look great.

I'll try setting up with a couple of different consumers over the weekend.

@matthewgo
Copy link

Will Resource Owner/Password Credential be implemented in the OAuth plugin in Kong?

@subnetmarco
Copy link
Member

Yep, thanks for requesting it. I just opened a new issue #448.

@subnetmarco
Copy link
Member

@givmefive5 it has been implemented, pushed to master, and coming up in the next version.

@matthewgo
Copy link

Thank you, will check it out 👍

hutchic added a commit that referenced this issue Nov 21, 2019
)

* chore(ci) [skip travis] move nightly releases to Jenkins

* [skip travis]

* [skip travis] split plugin tests out and login to docker when building the docker test image

* [skip travis] try a different way of defining the KONG_VERSION env

* [skip travis] skip the problematic builds

* [skip travis] move the daily deploys out of travis.yml

* [skip travis] wip debugging a sporadically failing test

* fix(tests) adjust how we run the report mock server for a more reliable test

* chore(ci) debug the environment variables available in jenkins [skip travis]

* chore(ci) set the repository os name environment variable [skip travis]

* test(reports) adjust how we check if the report server can run

* chore(ci) adjust the jenkins setup [skip travis]

* chore(wip) remove the integration tests to focus on getting the nightly releases to work

* fix(ci) adjust how set set the bintray credentials [skip travis]

* wip -- debugging daily releases to bintray [skip travis]

* chore(ci) run only the xenial release [skip travis]

* chore(ci) re-enable tests and other distribution releases

* chore(ci) add the CI cron trigger

chore(dependency) bump the kong-build-tools dependency (#168)

chore(dependencies) adjust kong-build-tools dependency pin (#169)

* chore(dependency) bump the kong-build-tools dependency

* chore(ci) unpin the jenkins build from the kong-build-tools branch

chore(nightly) build nightly arm release (#171)

chore(ci) adjust cache settings for xenail nightly builds (#173)
hutchic added a commit that referenced this issue Nov 21, 2019
)

* chore(ci) [skip travis] move nightly releases to Jenkins

* [skip travis]

* [skip travis] split plugin tests out and login to docker when building the docker test image

* [skip travis] try a different way of defining the KONG_VERSION env

* [skip travis] skip the problematic builds

* [skip travis] move the daily deploys out of travis.yml

* [skip travis] wip debugging a sporadically failing test

* fix(tests) adjust how we run the report mock server for a more reliable test

* chore(ci) debug the environment variables available in jenkins [skip travis]

* chore(ci) set the repository os name environment variable [skip travis]

* test(reports) adjust how we check if the report server can run

* chore(ci) adjust the jenkins setup [skip travis]

* chore(wip) remove the integration tests to focus on getting the nightly releases to work

* fix(ci) adjust how set set the bintray credentials [skip travis]

* wip -- debugging daily releases to bintray [skip travis]

* chore(ci) run only the xenial release [skip travis]

* chore(ci) re-enable tests and other distribution releases

* chore(ci) add the CI cron trigger

chore(dependency) bump the kong-build-tools dependency (#168)

chore(dependencies) adjust kong-build-tools dependency pin (#169)

* chore(dependency) bump the kong-build-tools dependency

* chore(ci) unpin the jenkins build from the kong-build-tools branch

chore(nightly) build nightly arm release (#171)

chore(ci) adjust cache settings for xenail nightly builds (#173)
hutchic pushed a commit that referenced this issue Jun 10, 2022
### Summary

#### libyaml 0.2.2 release

- #95 -- build: do not install config.h
- #97 -- appveyor.yml: fix Release build
- #103 -- Remove unused code in yaml_document_delete
- #104 -- Allow colons in plain scalars inside flow collections
- #109 -- Fix comparison in tests/run-emitter.c
- #117 -- Fix typo error
- #119 -- The closing single quote needs to be indented...
- #121 -- fix token name typos in comments
- #122 -- Revert removing of open_ended after top level plain scalar
- #125 -- Cherry-picks from PR 27
- #135 -- Windows/C89 compatibility
- #136 -- allow override of Windows static lib name

#### libyaml 0.2.3 release

- #130 Fixed typo.
- #144 Fix typo in comment
- #140 Use pointer to const for strings that aren't/shouldn't be modified
- #128 Squash a couple of warnings in example-deconstructor-alt
- #151 Fix spelling for error message
- #161 Make appveyor config be a hidden file
- #159 Add CHANGES file
- #160 Always output document end before directive (YAML 1.2 compatibility)
- #162 Output document end marker after open ended scalars
- #157 change cmake target name from libOFF.a to libyaml.a
- #155 include/yaml.h: fix comments
- #169 Fixed missing token in example
- #127 Avoid recursion in the document loader.
- #172 Support %YAML 1.2 directives
- #66 Change dllexport controlling macro to use _WIN32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. plugins/oauth2
Projects
None yet
Development

No branches or pull requests