Commit c234a23c authored by Bojan Bogdanovic's avatar Bojan Bogdanovic
Browse files

Issue #3263631: Create dedicated authorization server service and implement... 

Issue #3263631: Create dedicated authorization server service and implement new (scope/consumer) data model
parent 68a388f4

README.md

+9 −18
Original line number Diff line number Diff line
@@ -12,31 +12,22 @@ This module uses the fantastic PHP library [OAuth 2.0 Server](http://oauth2.thep 
[![Quality Score](https://img.shields.io/scrutinizer/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)

[![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server)



### Quick demo (Password Grant)

### Quick demo (Client Credentials Grant)



1. Install the module using Composer: `composer require drupal/simple_oauth:8.x-2.x`. You can use any other installation method, as long as you install the [OAuth2 Server](https://github.com/thephpleague/oauth2-server) composer package.

1. Install the module using Composer: `composer require drupal/simple_oauth:6.0.x'`. You can use any other installation method, as long as you install the [OAuth2 Server](https://github.com/thephpleague/oauth2-server) composer package.

2. Generate a pair of keys to encrypt the tokens. And store them outside of your document root for security reasons.

```

openssl genrsa -out private.key 2048

openssl rsa -in private.key -pubout > public.key

```

3. Save the path to your keys in: `/admin/config/people/simple_oauth`.

3. Go to [REST UI](https://drupal.org/project/restui) and enable the _oauth2_ authentication in your resource.

4. Create a Client Application by going to: `/admin/config/services/consumer/add`.

5. Create a token with your credentials by making a `POST` request to `/oauth/token`. See [the documentation](http://oauth2.thephpleague.com/authorization-server/resource-owner-password-credentials-grant/) about what fields your request should contain.

6.  (Not shown) Permissions are set to only allow to view nodes via REST with the authenticated user.

7.  Request a node via REST without authentication and watch it fail.

8.  Request a node via REST with the header `Authorization: Bearer {YOUR_TOKEN}` and watch it succeed.



![Simple OAuth animation](https://www.drupal.org/files/project-images/simple_oauth_2.gif)



### Video tutorials



[![](https://www.drupal.org/files/2015-12-10%2009-04-11.png)](https://youtu.be/kohs5MXESXc) Watch a detailed explanation on how to use this module in the video tutorials:



1.  [Basic configuration.](https://youtu.be/kohs5MXESXc)

2.  [Refresh your tokens.](https://youtu.be/E-wUKkQa1OM)

3.  [Add extra security with resources.](https://youtu.be/PR0oBCCSxgE)

4. Go to `/admin/modules` and enable the `JSON:API` module.

5. Go to `/admin/people/permissions` and allow the permission `View published content` only for authenticated user.

6. Create a scope by going to: `/admin/config/people/simple_oauth/oauth2_scope/dynamic/add`, enable the `Client Credentials` grant type and set permission to `access content`.

7. Create a Client Application by going to: `/admin/config/services/consumer/add`, enable the `Client Credentials` grant type, set User under `Client Credentials settings` and set `Is Confidential?` to true.

8. Create a token with your credentials by making a `POST` request to `/oauth/token`. See [the documentation](https://oauth2.thephpleague.com/authorization-server/client-credentials-grant/) about what fields your request should contain.

9. Request a node via JSON:API without authentication and watch it fail, e.g: `/jsonapi/node/{bundle}?page[limit]=1`.

10. Request a node via JSON:API with the header `Authorization: Bearer {YOUR_TOKEN}` and watch it succeed.



### My token has expired!

simple_oauth.install

+1 −3
Original line number Diff line number Diff line
@@ -201,7 +201,6 @@ function simple_oauth_update_8604() { 
    ->setDescription(new TranslatableMarkup('The number of seconds that the refresh token will be valid.'))

    ->setRevisionable(TRUE)

    ->setTranslatable(FALSE)

    ->setRequired(TRUE)

    ->setSetting('unsigned', TRUE)

    ->setDefaultValue(1209600);
@@ -268,7 +267,6 @@ function simple_oauth_update_8606() { 
    $consumer->set('remember_approval', $remember_clients);

    $consumer->set('access_token_expiration', $access_token_expiration);

    $consumer->set('refresh_token_expiration', $refresh_token_expiration);

  }



    $consumer->save();

  }

}

simple_oauth.module

+0 −1
Original line number Diff line number Diff line
@@ -155,7 +155,6 @@ function simple_oauth_entity_base_field_info(EntityTypeInterface $entity_type) { 
      ])

      ->setRevisionable(TRUE)

      ->setTranslatable(FALSE)

      ->setRequired(TRUE)

      ->setSetting('unsigned', TRUE)

      ->setDefaultValue(1209600);

simple_oauth.services.yml

+12 −11
Original line number Diff line number Diff line
@@ -34,6 +34,17 @@ services: 
    class: Drupal\simple_oauth\Normalizer\RefreshTokenEntityNormalizer

    tags:

      - { name: normalizer, priority: 20 }

  simple_oauth.server.authorization_server.factory:

    class: Drupal\simple_oauth\Server\AuthorizationServerFactory

    arguments:

      - '@config.factory'

      - '@file_system'

      - '@plugin.manager.oauth2_grant.processor'

      - '@simple_oauth.repositories.client'

      - '@simple_oauth.repositories.scope'

      - '@simple_oauth.repositories.access_token'

      - '@simple_oauth.repositories.refresh_token'

      - '@simple_oauth.server.response_type'

  simple_oauth.server.resource_server:

    class: Drupal\simple_oauth\Server\ResourceServer

    arguments:
@@ -46,10 +57,7 @@ services: 
    arguments: [ '@entity_type.manager', '@password' ]

  simple_oauth.repositories.scope:

    class: Drupal\simple_oauth\Repositories\ScopeRepository

    arguments: [ '@entity_type.manager' ]

  simple_oauth.repositories.user:

    class: Drupal\simple_oauth\Repositories\UserRepository

    arguments: [ '@user.auth' ]

    arguments: [ '@entity_type.manager', '@simple_oauth.oauth2_scope.provider' ]

  simple_oauth.repositories.access_token:

    class: Drupal\simple_oauth\Repositories\AccessTokenRepository

    arguments: [ '@entity_type.manager', '@serializer' ]
@@ -73,13 +81,6 @@ services: 
  plugin.manager.oauth2_grant.processor:

    class: Drupal\simple_oauth\Plugin\Oauth2GrantManager

    parent: default_plugin_manager

    arguments:

      - '@simple_oauth.repositories.client'

      - '@simple_oauth.repositories.scope'

      - '@simple_oauth.repositories.access_token'

      - '@simple_oauth.repositories.refresh_token'

      - '@config.factory'

      - '@simple_oauth.server.response_type'

  plugin.manager.oauth2.scope:

    class: Drupal\simple_oauth\Plugin\Oauth2ScopeManager

    arguments: [ '@module_handler', '@cache.discovery', '@language_manager', '@plugin.manager.oauth2_grant.processor', '@user.permissions' ]

src/Annotation/Oauth2Grant.php

+3 −2
Original line number Diff line number Diff line
@@ -3,6 +3,7 @@ 
namespace Drupal\simple_oauth\Annotation;



use Drupal\Component\Annotation\Plugin;

use Drupal\Core\Annotation\Translation;



/**

 * Defines a OAuth2 Grant item annotation object.
@@ -19,7 +20,7 @@ class Oauth2Grant extends Plugin { 
   *

   * @var string

   */

  public $id;

  public string $id;



  /**

   * The label of the plugin.
@@ -28,6 +29,6 @@ class Oauth2Grant extends Plugin { 
   *

   * @ingroup plugin_translatable

   */

  public $label;

  public Translation $label;



}