What about OAuth?

Igor Beslic
Igor Beslic
A Minute Read

Hi all, I'll share with you our latest progress made with supporting OAuth authorized requests. I'll make example with android application since I'm familiar with it (enough to display button).

OAuth server support comes as OAuth 1.0a spec based portlet plugin with application registration UI, user authorization approval and secure filter that checks validity of oauth credentials (thank you Tomas for the filter, and Ivica for all hours we spent together). OAuth is very pratical since it moves authentication actions to platform side (Liferay Portal), and application doesn't need handle security issues regarding credentials storing. If you are application developer, and want your application to access Liferay portal resources this could be a way to do it:

1. Go to OAuth admin

2. Register application

3. Get yours consumer key and secret

Now... You should take an OAuth api (scribe or signpost) and make your consumer application. My application is simple android application whic would do nothing awesome, but will make authorized document library access:

- make oauth request token and bring user to Liferay portal application authorization page. If user is not signed in, he/she would be asked to do it.

 

- Once user is signed in authorization page will be shown. After user confirms he/she grants access to her/his liferay resources Liferay redirects user to defined redirect URL (not clear from screenshots, but as a redirect I'm using my-application://www.liferay.com/something so that android browser knows where to pass redirect).

- user acces token and token secret are being stord in application properties, an I'm able to query portal (I'll grab some folders and display it):

So what do you think?

I used this links to assembly android application:

Page Comments
thumbnail
Alexey Kakunin
12 Years Ago
HI Igor! Looks really great! It is part of 6.2 - or this functionality will be available for 6.1 as plugin as well?
Please sign in to reply.
thumbnail
Igor Beslic Alexey Kakunin
12 Years Ago
Hi Alexey! Great to hear you.
It is available as plugin for 6.1 but after we finish all reviews and tests we will make it ready for 6.2.
Please sign in to reply.
thumbnail
Stian Sigvartsen
12 Years Ago
Great feature Igor, looking forward to using it! Will this be available for the SOAP services as well? Any chance of getting access to a pre-release build / source (6.1 compatible) so I can have a go at integration Orbeon forms with permission controlled Liferay assets using this?
Please sign in to reply.
thumbnail
Tomáš Polešovský Stian Sigvartsen
12 Years Ago
Hi Stian, I try to answer the SOAP question - the default configuration of OAuth authentication filter doesn't include SOAP services. Anyway, the filter is extensible enough to be used with any servlet => Yes, SOAP should work.
Please sign in to reply.
Laszlo Miklosik
12 Years Ago
Is the actual version of the plugin or its sources available to the community? (I could not find them on the Liferay github repo's liferay-plugins directory).

Do you also plan to implement OAuth 2.0 Provider support?

From what I see OAuth 1.0.a consumer support is already built into Liferay's core (in class com.liferay.portal.oauth.OAuthManagerImpl) and it uses the scribe OAuth client library.

Is your OAuth 1.0.a Service Provider implementation relying on any of the available OAuth server side libraries (e.g. Spring Security)?

We also need OAuth support asap in one of our Liferay deployments and would like to implement a solution which is in-line with Liferay's roadmap regarding OAuth.

Thanks
Please sign in to reply.
thumbnail
Ivica Cardic Laszlo Miklosik
12 Years Ago
Hi Laszlo,
regarding to plugin, it implements provider support so you can use Liferay as an oauth provider.
We used source from http://oauth.googlecode.com/svn/code/java/core/ as our base and then we added all additional needed stuff.
Regarding to OAuth 2.0, we will probably make implementation but I can't tell you when because the spec is finished recently, there are some implementations but thy are still immature.

For now the plugin should be available only for ee versions.

Best Regards
Please sign in to reply.
thumbnail
Igor Beslic Laszlo Miklosik
12 Years Ago
Hi Laszlo, I'm not sure, I think com.liferay.portal.oauth.OAuthManagerImpl provides client access to OAuth provider for some core portlets. Only official OAuth provider implementation is this one.
Please sign in to reply.
thumbnail
Tina Agrawal
12 Years Ago
Great feature Igor. Can you please let me know how you are getting the Portal Data? Which API we need to call? Are these the SOAP Services that get called? And where can we download this portlet from?
Please sign in to reply.
thumbnail
Igor Beslic Tina Agrawal
12 Years Ago - Edited
Hi Tina, example shown fetches portal data using JSON WS.
Available services could be examined if you refer path /api/jsonws at your portal instance. If you are at local host it should look like:
http://localhost:8080/api/jsonws

Developer documentation: https://www.liferay.com/documentation/liferay-portal/6.1/development/-/ai/json-web-services
Wiki: https://www.liferay.com/community/wiki/-/wiki/Main/JSON+Web+Services

Portlet is available for Enterprise Edition only since 6.1 GA2
Please sign in to reply.
divya goyal Igor Beslic
9 Years Ago
Hi Igor,

The post is very nice. I just need one clarification regarding the plugin if can be used in different way, as to validate the security token sent by some third party and authorize the user to access the Portal as well as the other application.
Please sign in to reply.
thumbnail
Igor Beslic divya goyal
9 Years Ago
Hi Divya, thank you for compliments. Your question is confusing. You may checkout https://en.wikipedia.org/wiki/OAuth to see what is OAuth used for and than decide if it suites your needs.
Please sign in to reply.
divya goyal Igor Beslic
9 Years Ago
Hi Igor,

Actually what I meant was to see if a user is authenticated against any other system(facebook, google, twitter) and then tries to login into Portal without entering the password and we send the authentication token. Is it possible in liferay to authorize in such scenario.

As Liferay is using the LDAP authentication also. We want to have multiple authentication methods. Either user can login using the liferay portal with LDAP AD authentication, or liferay user can access the google application and authenticate there and then login into Portal using the oauth token.

Thanks in advance!!
Please sign in to reply.
thumbnail
Igor Beslic divya goyal
9 Years Ago
Hi Divya, this OAuth story is something opposite to what you're looking for. You may check this blog https://web.liferay.com/web/wilson.man/blog/-/blogs/sso-via-facebook. For google and twitter authentication, you have to do your own development.
Please sign in to reply.
thumbnail
Gaurav Jain
12 Years Ago
Hi Igor,

I couldn't find such implementation in 6.2.0 CE RC3 release.

Is this not yet available there?
Please sign in to reply.
(You)
12 Years Ago
[...] Ben Brown of South Worcestershire Shared ICT Service was present and gave a talk about how they are  hosting Liferay Portal using the Jelastic cloud. At some point I would really like to explore... [...] Read More
Please sign in to reply.
thumbnail
devaki s
12 Years Ago
Hi Igor,

From where i can download oAuth plugin? I am not seeing it in market place.
Please sign in to reply.

Related Assets...

No Results Found

More Blog Entries...