OAuth2 Client Credentials Flow for REST API
323 views
Skip to first unread message
Martin Eden
Feb 3, 2017, 5:39:34 AM2/3/17
to pac4j-users
Hi,
I'm implementing a REST API. I just need users to be able to login with a local username and password - I have no need to authenticate against a third-party.
I could just use HTTP Basic Auth. I think it would be better to use OAuth2's Client Credentials Flow; it seems very straightforward.
All I need is to provide an HTTP Basic Auth protected endpoint that generates and issues an access token, and then at all other protected URLs check that the client has supplied a valid access token.
Does pac4j provide any of this out of the box? Looking at the 1.9 Docs it seems like all the OAuth2 stuff is aimed at authenticating with a third party.
If not, how would you recommend I implement this? I think it's just a matter of:
- Use DirectBasicAuthClient to issue access tokens
- Use HeaderClient to receive access tokens (see https://tools.ietf.org/html/rfc6749#section-7.1 - a bearer token is just a string in an Authorization header).
I assume that issuing and tracking access tokens is beyond the scope of pac4j. Any suggested libraries to do that with? Or if I roll my own, any pitfalls to watch out for? I assume it's just a cryptographically secure random number, which I store in my database along with which user it's for and an expiry date.
Thanks for your help!
Martin Eden
Jérôme LELEU
Feb 8, 2017, 3:55:39 AM2/8/17
to Martin Eden, pac4j-users
Hi,
Regarding OAuth, we only support the autorisation code grant type flow (login page at the identity provider).
Are we talking about the resource owner password flow or about the client credentials flow?
In both cases, you can re-use the DirectBasicAuthClient for example and create an Authenticator for the OAuth part.
You can use JWT for the access tokens thanks to the pac4j-jwt module.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages