OAuthServer - harden things up a bit
Summary: This is the hardening work mentioned in T887#86529. Also take a documentation pass for accuracy about these changes and formatting. Ref T4593. Test Plan: unit tests...! generated diviner docs and oauthserver doc looked good Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T4593 Differential Revision: https://secure.phabricator.com/D11298
This commit is contained in:
Bob Trahan
@@ -18,20 +18,20 @@ clients that implement OAuth 2.0.
|
||||
|
||||
= Vocabulary =
|
||||
|
||||
- **Access token** - a token which allows a client to ask for data on
|
||||
behalf of a resource owner. A given client will only be able to access
|
||||
data included in the scope(s) the resource owner authorized that client for.
|
||||
- **Access token** - a token which allows a client to ask for data on behalf
|
||||
of a resource owner. A given client will only be able to access data included
|
||||
in the scope(s) the resource owner authorized that client for.
|
||||
- **Authorization code** - a short-lived code which allows an authenticated
|
||||
client to ask for an access token on behalf of some resource owner.
|
||||
client to ask for an access token on behalf of some resource owner.
|
||||
- **Client** - this is the application or system asking for data from the
|
||||
OAuth Server on behalf of the resource owner.
|
||||
OAuth Server on behalf of the resource owner.
|
||||
- **Resource owner** - this is the user the client and OAuth Server are
|
||||
concerned with on a given request.
|
||||
concerned with on a given request.
|
||||
- **Scope** - this defines a specific piece of granular data a client can
|
||||
or can not access on behalf of a user. For example, if authorized for the
|
||||
"whoami" scope on behalf of a given resource owner, the client can get the
|
||||
results of Conduit.whoami for that resource owner when authenticated with
|
||||
a valid access token.
|
||||
or can not access on behalf of a user. For example, if authorized for the
|
||||
"whoami" scope on behalf of a given resource owner, the client can get the
|
||||
results of Conduit.whoami for that resource owner when authenticated with
|
||||
a valid access token.
|
||||
|
||||
= Setup - Creating a Client =
|
||||
|
||||
@@ -46,16 +46,16 @@ following parameters:
|
||||
|
||||
- Required - **client_id** - the id of the newly registered client.
|
||||
- Required - **response_type** - the desired type of authorization code
|
||||
response. Only code is supported at this time.
|
||||
response. Only code is supported at this time.
|
||||
- Optional - **redirect_uri** - override the redirect_uri the client
|
||||
registered. This redirect_uri must have the same fully-qualified domain
|
||||
and have at least the same query parameters as the redirect_uri the client
|
||||
registered, as well as have no fragments.
|
||||
registered. This redirect_uri must have the same fully-qualified domain,
|
||||
path, port and have at least the same query parameters as the redirect_uri
|
||||
the client registered, as well as have no fragments.
|
||||
- Optional - **scope** - specify what scope(s) the client needs access to
|
||||
in a space-delimited list.
|
||||
in a space-delimited list.
|
||||
- Optional - **state** - an opaque value the client can send to the server
|
||||
for programmatic excellence. Some clients use this value to implement XSRF
|
||||
protection or for debugging purposes.
|
||||
for programmatic excellence. Some clients use this value to implement XSRF
|
||||
protection or for debugging purposes.
|
||||
|
||||
If done correctly and the resource owner has not yet authorized the client
|
||||
for the desired scope, then the resource owner will be presented with an
|
||||
@@ -81,14 +81,14 @@ with the following parameters:
|
||||
|
||||
- Required - **client_id** - the id of the client
|
||||
- Required - **client_secret** - the secret of the client.
|
||||
This is used to authenticate the client.
|
||||
This is used to authenticate the client.
|
||||
- Required - **code** - the authorization code obtained earlier.
|
||||
- Required - **grant_type** - the desired type of access grant.
|
||||
Only token is supported at this time.
|
||||
Only token is supported at this time.
|
||||
- Optional - **redirect_uri** - should be the exact same redirect_uri as
|
||||
the redirect_uri specified to obtain the authorization code. If no
|
||||
redirect_uri was specified to obtain the authorization code then this
|
||||
should not be specified.
|
||||
the redirect_uri specified to obtain the authorization code. If no
|
||||
redirect_uri was specified to obtain the authorization code then this
|
||||
should not be specified.
|
||||
|
||||
If done correctly, the OAuth Server will redirect to the pertinent
|
||||
redirect_uri with an access token.
|
||||
@@ -115,6 +115,6 @@ currently exposed through the OAuth Server.
|
||||
There are only two scopes supported at this time.
|
||||
|
||||
- **offline_access** - allows an access token to work indefinitely without
|
||||
expiring.
|
||||
expiring.
|
||||
- **whoami** - allows the client to access the results of Conduit.whoami on
|
||||
behalf of the resource owner.
|
||||
behalf of the resource owner.
|
||||
|
||||
Reference in New Issue
Block a user