mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-05 11:51:16 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
997d8eabfdcd74fba6602630e17fa187a2a4fcf8
opencloud/docs/apis/http/authorization.md
Amrita 52b00b116f update tests related content (#8809)
2024-04-10 17:12:28 +05:45

143 lines
5.3 KiB
Markdown
Raw Blame History

---
title: Authorization
weight: 40
geekdocRepo: https://github.com/owncloud/ocis
geekdocEditPath: edit/master/docs/apis/http/
geekdocFilePath: authorization.md
---
In its default configuration, Infinite Scale supports three authentication methods as outlined on the [OIDC official site](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3):
1. Authorization Code Flow
2. Implicit Flow
3. Hybrid Flow
For detailed information on Infinite Scale's support for OpenID Connect (OIDC), please consult the [OIDC section](https://owncloud.dev/ocis/identity-provider/oidc).
To authenticate a client app using OIDC, both `client_id` and `client_secret` are essential. Infinite Scale does not offer dynamic registration. The required data for the default [ownCloud clients](https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris) can be found in the link and are availble for the following apps:
- Desktop
- Android
- iOS
While selecting an ownCloud client for authentication, take note of specific limitations such as the `Redirect URI`:
| Source | Redirect URI |
|------|--------|
|Android|oc://android.owncloud.com|
|iOS|oc://ios.owncloud.com|
|Desktop|http://127.0.0.1 <br> http://localhost |
In this example, the desktop app's `client_id` and `client_secret` are being used.
```bash
client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
client_secret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
```
## Authorization Code Flow
1. Requesting authorization
To initiate the OIDC Code Flow, you can use tools like curl and a web browser.
The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard):
```plaintext
https://ocis.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=code&redirect_uri=http://path-to-redirect-uri
```
After a successful authentication, the browser will redirect to a URL that looks like this:
```plaintext
http://path-to-redirect-uri?code=mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw&scope=openid%20profile%20email%20offline_access&session_state=32b08dd...&state=
```
For the next step extract the code from the URL.
In the above example,
the code is `mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw`
2. Requesting an access token
The next step in the OIDC Code Flow involves an HTTP POST request
to the token endpoint of the **Infinite Scale Identity Server**.
```bash
curl -vk -X POST https://ocis.test/konnect/v1/token \
-d "grant_type=authorization_code" \
-d "code=3a3PTcO-WWXfN3l1mDN4u7G5PzWFxatU" \
-d "redirect_uri=http:path-to-redirect-uri" \
-d "client_id=client_id" \
-d "client_secret=client_secret"
```
Response looks like this:
```json
{
"access_token": "eyJhbGciOid...",
"token_type": "Bearer",
"id_token": "eyJhbGciOi...",
"refresh_token": "eyJhbGciOiJ...",
"expires_in": 300
}
```
3. Refreshing an access token
If the access token has expired, you can get a new one using the refresh token.
```bash
curl -vk -X POST https://ocis.test/konnect/v1/token \
-d "grant_type=refresh_token" \
-d "refresh_token=eyJhbGciOiJ..." \
-d "redirect_uri=http://path-to-redirect-uri" \
-d "client_id=client_id" \
-d "client_secret=client_secret"
```
Response looks like this:
```json
{
"access_token": "eyJhbGciOi...",
"token_type": "Bearer",
"expires_in": 300
}
```
## Implicit Code Flow
When using the implicit flow, tokens are provided in a URI fragment of the redirect URL.
Valid values for the `response_type` request parameter are:
- token
- id_token token
{{< hint type=warning title="Important Warning" >}}
If you are using the implicit flow, `nonce` parameter is required in the initial `/authorize` request.
`nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=`
bash command to generate cryptographically random value
```bash
openssl rand -base64 32
```
{{< /hint >}}
The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard):
```bash
https://ocis.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=id_token+token&redirect_uri=http://path-to-redirect-uri&nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=
```
After a successful authentication, the browser will redirect to a URL that looks like this:
```bash
http://path-to-redirect-uri#access_token=eyJhbGciOiJQUzI...&expires_in=300&id_token=eyJhbGciOiJ...&scope=email%20openid%20profile&session_state=c8a1019f5e054d...&state=&token_type=Bearer
```
For the next step, extract the access_token from the URL.
```bash
access_token = 'eyJhbGciOiJQ...'
```
## Hybrid Flow
The Hybrid Flow in OpenID Connect melds features from both the Implicit and Authorization Code flows. It allows clients to directly retrieve certain tokens from the Authorization Endpoint, yet also offers the option to acquire additional tokens from the Token Endpoint.
The Authorization Server redirects back to the client with appropriate parameters in the response, based on the value of the response_type request parameter:
- code token
- code id_token
- code id_token token
Reference in New Issue View Git Blame Copy Permalink