Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.9.2
    • Component/s: None
    • Labels:

      Description

      OpenID support for widgets would be really useful, as suggested by Bernhard Hoisl. [1]

      Bryan Copeland indicated that he has already done some OpenID/OAuth work and has provided a very useful proposal (see attached file)

      [1] http://markmail.org/thread/qyjhlm2f3v3cben5

      1. WOOKIE-WookieOpenIDsupport-110711-0506-358.pdf
        103 kB
        Scott Wilson
      2. wookie-oauth.zip
        21 kB
        Hoang Minh Tien
      3. WOOKIE_OPENID_AUTH_FLOW.png
        97 kB
        Scott Wilson
      4. oauth-wookie-patch-0.9.2.txt
        34 kB
        Hoang Minh Tien
      5. oAuthClient.java
        6 kB
        Hoang Minh Tien
      6. oauth_092_patch.txt
        36 kB
        Scott Wilson
      7. hogwarts.info.fundp.ac.be
        1 kB
        Hoang Minh Tien

        Issue Links

          Activity

          Hide
          Scott Wilson added a comment -

          Note also there is a proposal in the incubator for a common oAuth implementation to use across Apache projects [1].

          I've had some progress on using the Signpost oAuth implementation [2] with services like Twitter. However, the major architectural issue is how consumer keys and secrets are managed. These cannot be distributed with the widget itself; one option is for Wookie to store these separately and have the Wookie admin apply for a consumer key/secret for each widget that needs it. Its a bit time consuming, but I can't think of an easier workaround.

          [1] http://wiki.apache.org/incubator/AmberProposal
          [2] http://code.google.com/p/oauth-signpost/

          Show
          Scott Wilson added a comment - Note also there is a proposal in the incubator for a common oAuth implementation to use across Apache projects [1] . I've had some progress on using the Signpost oAuth implementation [2] with services like Twitter. However, the major architectural issue is how consumer keys and secrets are managed. These cannot be distributed with the widget itself; one option is for Wookie to store these separately and have the Wookie admin apply for a consumer key/secret for each widget that needs it. Its a bit time consuming, but I can't think of an easier workaround. [1] http://wiki.apache.org/incubator/AmberProposal [2] http://code.google.com/p/oauth-signpost/
          Hide
          Scott Wilson added a comment -

          This should be a major feature addition for 0.8.2

          Show
          Scott Wilson added a comment - This should be a major feature addition for 0.8.2
          Hide
          Scott Wilson added a comment -

          OpenID proposal submitted by Bryan Copeland (moved from cwiki)

          Show
          Scott Wilson added a comment - OpenID proposal submitted by Bryan Copeland (moved from cwiki)
          Hide
          Scott Wilson added a comment -

          Higher-res version of the flow diagram

          Show
          Scott Wilson added a comment - Higher-res version of the flow diagram
          Hide
          Hoang Minh Tien added a comment - - edited

          Dear all,
          We've just implemented a feature to have oAuth supported in wookie. This implementation supports oAuth implicit grant profile. To make widget supporting oAuth, widget developer have to include some parameters in configuration file (config.xml). When widget instance loaded for the first time or when access token is expired, widget redirects always the users to authorization endpoint for authenticating user and issuing new access token.
          Please have a look of the patch attached (based on tag 0.9.0) which includes a modification of wookie server and a sample widget (named oAuth, this widget connect to a sample JSON RPC server to get the data). The widget is pre-configured to point to a server which support implicit grant profile.
          Right now, only JPA model is available in the modification.
          We would highly appreciate your feedback on our implementation and your recommendations to make it better. Thank you very much.
          Best regards,
          Tien.

          Show
          Hoang Minh Tien added a comment - - edited Dear all, We've just implemented a feature to have oAuth supported in wookie. This implementation supports oAuth implicit grant profile. To make widget supporting oAuth, widget developer have to include some parameters in configuration file (config.xml). When widget instance loaded for the first time or when access token is expired, widget redirects always the users to authorization endpoint for authenticating user and issuing new access token. Please have a look of the patch attached (based on tag 0.9.0) which includes a modification of wookie server and a sample widget (named oAuth, this widget connect to a sample JSON RPC server to get the data). The widget is pre-configured to point to a server which support implicit grant profile. Right now, only JPA model is available in the modification. We would highly appreciate your feedback on our implementation and your recommendations to make it better. Thank you very much. Best regards, Tien.
          Hide
          Scott Wilson added a comment -

          Thanks for the patch Tien, I'll move this issue forward to 0.9.2 to be sure we review it for potential inclusion in the next release.

          Show
          Scott Wilson added a comment - Thanks for the patch Tien, I'll move this issue forward to 0.9.2 to be sure we review it for potential inclusion in the next release.
          Hide
          Scott Wilson added a comment -

          I've started to go through the patch - there seems to be a class referred to in various places that isn't in the patch:

          org.apache.wookie.feature.oauth.oAuthClient

          Can you attach this class too?

          Show
          Scott Wilson added a comment - I've started to go through the patch - there seems to be a class referred to in various places that isn't in the patch: org.apache.wookie.feature.oauth.oAuthClient Can you attach this class too?
          Hide
          Hoang Minh Tien added a comment -

          Thanks Scott, please find the missing piece in the attachment

          Show
          Hoang Minh Tien added a comment - Thanks Scott, please find the missing piece in the attachment
          Hide
          Scott Wilson added a comment -

          Thanks Tien, I've applied all the patches to my local copy of 0.9.2 and got it running. However, the example widget is giving me some problems.

          As supplied, "get quotes" always returns a 403 status code, as the demo server isn't in the access list. However, if I add an access policy for it (e.g. using <access origin="https://hogwarts.info.fundp.ac.be:80"/>, I get a 500 status. Digging a little I can see this is caused by:

          javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

          Presumably this is caused by an invalid certificate on the test server?

          Show
          Scott Wilson added a comment - Thanks Tien, I've applied all the patches to my local copy of 0.9.2 and got it running. However, the example widget is giving me some problems. As supplied, "get quotes" always returns a 403 status code, as the demo server isn't in the access list. However, if I add an access policy for it (e.g. using <access origin="https://hogwarts.info.fundp.ac.be:80"/>, I get a 500 status. Digging a little I can see this is caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Presumably this is caused by an invalid certificate on the test server?
          Hide
          Hoang Minh Tien added a comment - - edited

          I think we should import the public cert of the server into Java keystore. Please download the certificate in the attachment and run keytool with the following command to import.
          sudo keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -file SOME_WHERE/hogwarts.info.fundp.ac.be -alias hogwarts
          And please remember to add the address https://hogwarts.info.fundp.ac.be into white list.

          Show
          Hoang Minh Tien added a comment - - edited I think we should import the public cert of the server into Java keystore. Please download the certificate in the attachment and run keytool with the following command to import. sudo keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -file SOME_WHERE/hogwarts.info.fundp.ac.be -alias hogwarts And please remember to add the address https://hogwarts.info.fundp.ac.be into white list.
          Hide
          Scott Wilson added a comment -

          Thanks Tien, I added your test server cert to my keystore so I could test a little further.

          On Safari, Chrome and Opera, the widget seems to go in a loop:

          1. on first run, I get automatically redirected to a European Schoolnet OpenID server (which I log into)
          2. I get "identity veritifed" and press "proceed"
          3. I get the actual widget page with the quote image and "get quote" button
          4. I click "get quote"
          5. I get redirected to (2), and off we go again

          On Firefox, the widget gets stuck:
          1. on first run, I get automatically redirected to a European Schoolnet OpenID server (which I log into)
          2. I get my Profile page. Thats it.

          In the first case, taking a look at the actual request being sent, the URL is:

          http://localhost:8080/wookie/proxy?instanceid_key=WXeajzoG98IdbDTabpfz2Y8OsBc.eq.&url=https://hogwarts.info.fundp.ac.be/ITEC/quotes&client_id=WXeajzoG98IdbDTabpfz2Y8OsBc.eq.&access_token=20111025T202126jfpdeRMR8sTVcv9YiRDdN%252FbONYw%253D

          However, if I try to open this in the browser directly it returns "

          {"error":"access_denied"}

          " which is presumably why it keeps redirecting back to the identity manager.

          Show
          Scott Wilson added a comment - Thanks Tien, I added your test server cert to my keystore so I could test a little further. On Safari, Chrome and Opera, the widget seems to go in a loop: 1. on first run, I get automatically redirected to a European Schoolnet OpenID server (which I log into) 2. I get "identity veritifed" and press "proceed" 3. I get the actual widget page with the quote image and "get quote" button 4. I click "get quote" 5. I get redirected to (2), and off we go again On Firefox, the widget gets stuck: 1. on first run, I get automatically redirected to a European Schoolnet OpenID server (which I log into) 2. I get my Profile page. Thats it. In the first case, taking a look at the actual request being sent, the URL is: http://localhost:8080/wookie/proxy?instanceid_key=WXeajzoG98IdbDTabpfz2Y8OsBc.eq.&url=https://hogwarts.info.fundp.ac.be/ITEC/quotes&client_id=WXeajzoG98IdbDTabpfz2Y8OsBc.eq.&access_token=20111025T202126jfpdeRMR8sTVcv9YiRDdN%252FbONYw%253D However, if I try to open this in the browser directly it returns " {"error":"access_denied"} " which is presumably why it keeps redirecting back to the identity manager.
          Hide
          Hoang Minh Tien added a comment -

          I've just re-run the code, I don't know if it is the problem of revision, because I the code is based on 0.9.0
          http://svn.apache.org/repos/asf/incubator/wookie/tags/0.9.0-incubating/
          Does the code in trunk is 0.9.2 ?

          Show
          Hoang Minh Tien added a comment - I've just re-run the code, I don't know if it is the problem of revision, because I the code is based on 0.9.0 http://svn.apache.org/repos/asf/incubator/wookie/tags/0.9.0-incubating/ Does the code in trunk is 0.9.2 ?
          Hide
          Scott Wilson added a comment -

          I've updated the code you provided to work in 0.9.2 - I guess its possible I made a mistake in porting it.

          (Yes, the trunk is 0.9.2).

          I'll attach a new patch from my update so you can see if you can find the problem.

          Show
          Scott Wilson added a comment - I've updated the code you provided to work in 0.9.2 - I guess its possible I made a mistake in porting it. (Yes, the trunk is 0.9.2). I'll attach a new patch from my update so you can see if you can find the problem.
          Hide
          Hoang Minh Tien added a comment -

          Thanks Scott, I've tested your patch, it works with my computer with the latest trunk, I also removed the line
          <access origin="https://hogwarts.info.fundp.ac.be:80"/>
          in config file, compile and import the widget, it runs without problem (an image file is missing in oAuth widget, but that has no thing to do with main flow of oAuth)
          I'll do further test on another computer and return shortly. Thank you again for your promptly support.

          Show
          Hoang Minh Tien added a comment - Thanks Scott, I've tested your patch, it works with my computer with the latest trunk, I also removed the line <access origin="https://hogwarts.info.fundp.ac.be:80"/> in config file, compile and import the widget, it runs without problem (an image file is missing in oAuth widget, but that has no thing to do with main flow of oAuth) I'll do further test on another computer and return shortly. Thank you again for your promptly support.
          Hide
          Scott Wilson added a comment -

          Thanks Tien - I added the <access> config for a single widget rather than adding to the global whitelist as this is how I imagine it would have to work in practice (or the admin would have to manually edit the global whitelist for every oAuth-capable widget). I've tried it both ways round and get the same effect.

          One other thing I noticed was an X-Frame security alert in Safari:

          Refused to display document because display forbidden by X-Frame-Options.

          Also, if I reset the browser (clearing cookies) and start from scratch, I never get beyond the profile page without manually refreshing the browser. So it would be worth testing from a clean start in case that shows up the problem.

          Show
          Scott Wilson added a comment - Thanks Tien - I added the <access> config for a single widget rather than adding to the global whitelist as this is how I imagine it would have to work in practice (or the admin would have to manually edit the global whitelist for every oAuth-capable widget). I've tried it both ways round and get the same effect. One other thing I noticed was an X-Frame security alert in Safari: Refused to display document because display forbidden by X-Frame-Options. Also, if I reset the browser (clearing cookies) and start from scratch, I never get beyond the profile page without manually refreshing the browser. So it would be worth testing from a clean start in case that shows up the problem.
          Hide
          Hoang Minh Tien added a comment -

          Thank you very much for your feedback, Scott, please have a look on new updated patch.

          Show
          Hoang Minh Tien added a comment - Thank you very much for your feedback, Scott, please have a look on new updated patch.
          Hide
          Ross Gardler added a comment -

          I just wanted to say thank you for working on your patch with Scott.
          I'm excited about finally getting OAuth in Wookie. It's not something
          my competencies would enable me to do, to know you and Scott are doing
          a "proper job" of it makes me very happy.

          Thank you.

          Ross

          On 2 November 2011 11:05, Hoang Minh Tien (Updated) (JIRA)

          Show
          Ross Gardler added a comment - I just wanted to say thank you for working on your patch with Scott. I'm excited about finally getting OAuth in Wookie. It's not something my competencies would enable me to do, to know you and Scott are doing a "proper job" of it makes me very happy. Thank you. Ross On 2 November 2011 11:05, Hoang Minh Tien (Updated) (JIRA)
          Hide
          Hoang Minh Tien added a comment -

          Ross, I'm glad to see you like the work. If it could fit in with Wookie development roadmap, I will be happy to know that my work is useful. I know that it is a really tiny work in comparison with the great thing that Wookie team has released, so thank you for your encouragement.
          Tien.

          Show
          Hoang Minh Tien added a comment - Ross, I'm glad to see you like the work. If it could fit in with Wookie development roadmap, I will be happy to know that my work is useful. I know that it is a really tiny work in comparison with the great thing that Wookie team has released, so thank you for your encouragement. Tien.
          Hide
          Scott Wilson added a comment -

          I've tested the patch and it works! I've just applied it and committed the changes.

          Show
          Scott Wilson added a comment - I've tested the patch and it works! I've just applied it and committed the changes.
          Hide
          Scott Wilson added a comment -

          Was added in 0.9.2

          Show
          Scott Wilson added a comment - Was added in 0.9.2

            People

            • Assignee:
              Unassigned
              Reporter:
              Ross Gardler
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development