OAuth Example

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

OAuth Example

uris77
I'm looking for an example of authenticating with an OAuth Server from a ratpack application. Have been googling around and haven't been able to find an example.
rus
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

rus
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

uris77
Yeah, I looked at it, but couldn't understand what was going on. Found it hard to try to make some sense out of it.
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

uris77
In reply to this post by rus
Woot! Woot!. I got it working. Don't know if this is the place to ask this question, but I noticed that the Google Client adds a query param to the end of my callback (call_back=Google2Client). Anyone knows how to remove this?
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

leleuj
Hi,

I'm the creator of pac4j and contributor of the ratpack-pac4j module.

ratpack-pac4j is a library to protect a Ratpack application and delegate the authentication to Facebook, Twitter, ...

I will provide a new documentation in the Ratpack manual for pac4j when I'll get the chance.

You have two ways to use pac4j in Ratpack:
- the quick and easy way: you can protect your whole application with one identity provider by using the Pac4jModule (the Javadoc is very clear: https://github.com/ratpack/ratpack/blob/master/ratpack-pac4j/src/main/java/ratpack/pac4j/Pac4jModule.java)
- the more powerful way: you can define for each url of your application which identity providers should be required for authentication, this is what is implemented in the ratpack-pac4j-demo: https://github.com/leleuj/ratpack-pac4j-demo/blob/master/src/main/java/org/leleuj/AppHandlerFactory.java

The flow:
- a user tries to access a protected area, he is redirected to the identity provider (like Facebook)
- he logins sucessfully, he is redirected back to the callback url of the application with some additional information
- the application uses these additional information to finish the authentication process and retrieve the user's profile.

For each identity provider, you need a callback url on which the identity provider will redirect back the user with additional information.
The demo uses several identity providers through several protocols (a SAML IdP, Facebook, Twitter, a CAS server...). For each identity provider, a callback url is necessary for the authentication process to happen. Though, you can group all identity providers on the same callback url (if you want to avoid having n callback urls) by the use of the org.pac4j.core.client.Clients class. In that case, the callback urls have the same prefix url and a specific parameter: client_name to define which identity provider is associated with it.

So, to answer your question, if you want to remove this specific parameter: client_name, you need to use one distinct callback for each identity provider and you must not group all identity providers (with the Clients class).

Hope it's clearer...
Best regards,
Jérôme
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

uris77
Thanks for the feedback. Will play with it some more tonight.
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

uris77
In reply to this post by leleuj
Ah, I was making a silly mistake. I was requiring auth for the callback also, so it would never go in. This is what I had>
  bindings {
        add new SessionModule()
        add new MapSessionsModule(10, 5)
        Google2Client googleClient = new Google2Client("XXXXX", "YYYYY")
        googleClient.callbackUrl = "http://localhost:5050/admin/signInCallback"
        add new Pac4jModule(googleClient, new AuthPathAuthorizer())
   }
   handlers {
       prefix("admin"){
           get("hello") {
                def userProfile = request.get(GoogleOpenIdProfile)
                render groovyTemplate("admin.html")
            }
            get("signInCallback") { ->
                render groovyTemplate("welcome.html")
            }
       }
   }
}



Thank you for the assistance. I can tolerate the extra query params for now.
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

uris77
In reply to this post by uris77
One more question. I have the following:

import com.uris.ratpack.examples.oauth.AuthPathAuthorizer
import org.pac4j.openid.client.GoogleOpenIdClient
import ratpack.pac4j.Pac4jModule
import ratpack.pac4j.internal.Pac4jCallbackHandler
import ratpack.session.SessionModule
import ratpack.session.store.MapSessionsModule

import static ratpack.groovy.Groovy.groovyTemplate
import static ratpack.groovy.Groovy.ratpack

ratpack {
    bindings {
        add new SessionModule()
        add new MapSessionsModule(10, 5)
        bind Pac4jCallbackHandler
        GoogleOpenIdClient openIdClient = new GoogleOpenIdClient()
        openIdClient.callbackUrl = "http://localhost:5050/pac4j-callback"
        add new Pac4jModule(openIdClient, new AuthPathAuthorizer())
    }

    handlers {
        get {
          render groovyTemplate("index.html", title: "My Ratpack App")
        }


        prefix("admin") {
            get("secured"){
                render groovyTemplate("secured.html")
            }
        }

        assets "public"
    }
}

It works, but with the caveat that the location returned to is http://[::1]:5050/#. Is that how it is supposed to work?
Reply | Threaded
Open this post in threaded view
|

Re: OAuth Example

Luke Daley
Administrator
This is arguably a bug in Ratpack. The address http://[::1]:5050/# is the ipv6 equivalent of http://localhost:5050/#. If you don’t tell Ratpack what your public address is, it has to infer it. We need to fix this inference to use the ipv4 conventions so it looks less weird.

If you want to fix in the meantime, put this in your src/ratpack/ratpack.properties

publicAddress=http://localhost:5050

If you deploy to a public environment, you’ll need to change this.