Implementing an OAuth Client to authenticate via external api

[Hayden Young]

I have an external rest api which I would like to authenticate a user against. The rest api authorizes access via oAuth2 and I have successfully connected to it using the oauth2client class which now comes as part of the joomla library.

The current issue I'm facing is that I haven't been able to work out the best way to present the user with a clear workflow from joomla, to the external oauth authentication form and then back into joomla where the user's unique id (from the external rest calls) could be used to authenticate the user and authorize their access across the site.

I'm interested to know if others have successfully implemented oauth2 authentication/authorization from an external site ( I'm using something called orcid but after looking at the new joomla oauth2 libs I see that facebook and google have similar implementations), and, if so whether they could share their experience.

My initial thought was to use joomla's authentication framework and create a plugin to handle this but for various reasons I cannot hook into the com_users login component.

Is there a way to implement external oauth2 authorization without needing to build a component to simply handle the redirect; I.e use a module for the link out to the external login form then use a plugin to handle the callback from the external site?

I've noticed there is a way to pass a web application to the oauth2client so I'm wondering if there is something here that could help; for example, extending the Japplicationweb class and providing some kind of callback to handle successful authorization.

Any help would be much appreciated; also this is an OSS project so it is something that would be available to the entire community.

Cheers


Hayden

[Michael Babker]

I'm trying to think of componentless possibilities but truthfully I have nothing that doesn't use com_users for routing purposes.  You should be able to put your authentication code into an authentication plugin and write a module that handles the user interaction for it (the login/logout form, whatever it may be) and the module points to the standard com_users login/logout actions.  The plugin should be able to work with your specific data by pulling the input object from the application then map the responses and data to the expected returns in Joomla (look at JApplicationCms::login(), JAuthentication::authenticate(), and PlgAuthenticationJoomla to get an idea).

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general.
For more options, visit https://groups.google.com/d/optout.

[Hayden Young]

Thanks for the feedback Michael.

Following on from your reply (actually com_users is exactly what I would prefer to use for routing the authentication), I created a module which posts a form token to com_users login which fires my authentication orcid plugin. The plugin then sets up an oauth request and the user is redirected to the orcid login screen where they can a) authenticate their details and b) authorize joomla to access their account id (and possibly other information as well).

Everything works perfectly up to here, with my next idea being I could redirect from the orcid login back through my authentication plugin and check for the auth code, and if present, request the accompanying access token. Unfortunately, trying to get back through com_users login fails because I cannot pass the form token on the querystring; instead I need another form post which is not possible from the redirect url.

I'm wondering if there is another way to redirect back to joomla and fire the onAuthenticate event without needing to go through com_users login.

Thanks for the assistance.

[Michael Babker]

You could in theory "trick" the application to do it with a system plugin listening to the onAfterRoute event (you couldn't use onAfterInitialise here as the URI hasn't been processed or injected into JInput yet) then check for specific routing.  I'd redirect the orcid app back to the com_users login task then listen with the onAfterRoute event for a request to that task and check if it's coming from your application somehow (the referral headers, passing a token of some form, etc.).  If it matches the criteria, have the plugin trigger $app->login() which will start the login routines and trigger the authentication plugin.

[Hayden Young]

Agreed, I could definitely see this working as a way around the com_users login token check.

So my thought is to, as you say, intercept and check for a very specific url, maybe ?option=com_users&task=user.login&code=[code] (or I could even change task to something like task=user.authorize).

I could then fire a different event from the system plugin, perhaps something like PlgAuthenticationOrcid::onUserAuthorize to convert the code to a request token and complete the authorization.

Thanks again for the direction.


Cheers


Hayden

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-general+unsub...@googlegroups.com.

[Matt Thomas]

Hi Hayden,

I have been watching this thread with particular interest, it would be great if it's possible to collaborate on a reusable solution for OAuth authentication. With what you have done so far, do you think that is possible? Is there any chance that any of your work is available so that others could take a look at it and work together?

Best,

Matt Thomas

203.632.9322
http://betweenbrain.com/

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.

[Hayden Young]

Hi Matt

Yes, am just finishing the coding of my particular implementation now but will shortly be available via Github (http://github.com/knowledgearc/jspace-extras). It is GPL so free for anyone to extend. Michael Babker pointed me in the direction of a system plugin which I have implemented successfully, and I have tried to make it as "pluggable" as possible with the existing authentication plugin events. However, I'm sure more improvement could be made by other members of the community such as yourself.

As soon as I have pushed my updates I will post back here with a specific link to the code in Github.

Thanks for your interest.

Cheers


Hayden

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-general+unsubscribe@googlegroups.com.

To post to this group, send email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general.
For more options, visit https://groups.google.com/d/optout.

[Matt Thomas]

Hello Hayden,

That's excellent. I look forward to seeing what you come up with and contributing back what I can.

Thank you!

Best,

Matt Thomas

203.632.9322
http://betweenbrain.com/

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.

[Hayden Young]

Please find the current system oauth2 plugin available at https://github.com/knowledgearc/jspace-extras/tree/master/plugins.

./system/oauth2 contains a plugin for listening for oauth2 codes and tokens and firing appropriate events.

./authentication/orcid provides an example of authenticating and authorizing a user via the ORCID oAuth2 3 step handshake. It is worth noting that this is more than an example; this will actually be used in production environments.

The code is gpl so please feel free to use and extend what is there. Any comments/criticisms welcome.

cheers


Hayden