PASOE - Redirect to Auth Server in oauth2 client login model

Posted by brianlafertewk on 22-Aug-2018 14:32

Under 11.7.2, is there a way to configure a web app that is using the client.login.model of 'oauth2' to redirect requests that do not have a valid JWT/Oauth2 token to an authorization server 'automagically'.  Rather than giving a user the <oauth><error>unauthorized</error></oauth> response, I'd like to be able to provide a redirect to the auth service.

Using the 'form' model it is simple enough to redirect the user to a loginpage, etc., so that if a user requests a resource that requires a session, they can log in.

For 'oauth2' I see a 'oauth2.resSvc.remoteTokenService.url' parameter in the oeablSecurity.properties.README, which looks promising, but can't seem to find a combination settings that 'enable' that sort of service.

Thanks,

Brian

All Replies

Posted by Michael Jacobs on 28-Aug-2018 06:09

Hello Brian,

The 11.7.2/3 default OAuth2 configuration is for a pure OAuth2 Resource Server (aka Data Service).   It [currently] does not include the Spring OAuth2 client that would do the redirection to an OAuth2 Authorization Server where an interactive user login would be managed according to the resource's OAuth2 flow.

As a Resource Server it delegates the OAuth2 Client role to the caller, who may choose their implementation language and OAuth2 client library to fit their requirements.   It simply accepts a token, validates it if the caller passes one, and passes a replica of it as a Client-Princpal to the ABL application.

The oauth2.resSvc.remoteTokenService.uri property is there for the Resource Server to call the OAuth2 Authorization Server and exchange its issued OAuth2 random access token for an OAuth2 self-contained (aka ID token) token the Resource Server can use for user-id & role authorization in the server and ABL application.   It will do nothing to begin an interactive user login.

Question: is is important that PASOE include the OAuth2 Client configuration for interactive user logins, or will that functionality be better handled in your client's implementation?

Hopes this clarifies the current OAuth2 support,

Mike J.

Posted by brianlafertewk on 06-Sep-2018 06:59

Mike,

Thanks for the response.

I currently have an implementation that does use a client to control access to PASOE OAuth2 secured resources.  I was investigating other options that might allow direct access to resources (say images) use HTTP from a client browser (which is possible with the PASOE OAuth2 implementation by adding ?access_token=<thetoken>).  The problem of course is the message that is returned with a bad token (there is no current way in PASOE 11.7.2/3 to control the messages).  An ability to return a redirect to an authentication source would be handy in this case.

Again, thanks for the reply.

Have a great day,

Brian

Posted by goo on 06-Sep-2018 21:43

I am not sure if my approach is usable, but we have a webpage in webspeed, that initiate the communication with the authorization part, doing a redirect, getting a code, and then uses WebClient (httprequest) to ask for the toke, and this works.

I would love to do this using oAuth2, but haven’t been able to figure it out. It’s a bit frustrating to get good help from the authorization part.

This thread is closed