{"id":5721,"date":"2024-03-28T21:25:56","date_gmt":"2024-03-28T20:25:56","guid":{"rendered":"https:\/\/gpmfactory.com\/?p=5721"},"modified":"2024-04-01T11:27:30","modified_gmt":"2024-04-01T09:27:30","slug":"hybrid-oauth-flow-with-oracle-ords","status":"publish","type":"post","link":"https:\/\/gpmfactory.com\/index.php\/2024\/03\/28\/hybrid-oauth-flow-with-oracle-ords\/","title":{"rendered":"Hybrid Oauth flow with Oracle ORDS"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Scenario<\/h3>\n\n\n\n<p>Use OAUTH with a custom authentication in an enterprise context. <\/p>\n\n\n\n<p>We have to build a mobile application for an enterprise with hundreds of employees. We are not in a public context. We have just to check the identity of employees to be sure they get access to their scope only.<\/p>\n\n\n\n<p>We assume that the <em>client <\/em>is a trusted application<\/p>\n\n\n\n<p>The code described in the post is <a href=\"https:\/\/github.com\/patrickmonaco\/hybridoauth\">available on Github<\/a>.<\/p>\n\n\n\n\n\n<h3 class=\"wp-block-heading\">Reminders<\/h3>\n\n\n\n<p>ORDS provides support for OAUTH through three clients types:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Client Credential<\/li>\n\n\n\n<li>Authorization Code<\/li>\n\n\n\n<li>Implicit Grant<\/li>\n<\/ul>\n\n\n\n<p>The two last are shaped for identifying a physical user, not the first one.<\/p>\n\n\n\n<p>In our scenario, we want authenticate a physical user. Therefore, we want use either <em>Authorization Code <\/em>or <em>Implicit Grant<\/em> in order to identify the user.<\/p>\n\n\n\n<p>In these cases, ORDS provides a generic authentication module and it seems that this module can&rsquo;t be customized. The only user directories supported are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>File system<\/li>\n\n\n\n<li>APEX User directory<\/li>\n\n\n\n<li>Tomcat or Weblogic user directory<\/li>\n<\/ul>\n\n\n\n<p>What about a scenario where we want completely custom the authentication process, by relying on a Ldap ou DB directory ?<\/p>\n\n\n\n<p>This is the use case which inspires this post.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Overall approach<\/h3>\n\n\n\n<p>We decide to build a \u00ab\u00a0new\u00a0\u00bb kind of oauth flow, an hybrid between <em>Client credentials<\/em> and <em>Implocit Grant<\/em>.<\/p>\n\n\n\n<p>We assume that the authentication is not based on the standard ORDS\/OAURH authentication but has been build by a completely different method, whatever the method.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Initial setup<\/h4>\n\n\n\n<p>At ORDS level, we create a new <em>client <\/em>with the \u00ab\u00a0<em>Client Credentia<\/em>l\u00a0\u00bb type.<\/p>\n\n\n\n<p>We create a REST module <code>eu.gpmfactory.custoauth<\/code> which handles the authentication process and the generation of a valid token.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The cinematic is as following:<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>If a token is not set yet, the client redirect to a REST endpoint (<code>login<\/code>) which send an authentication form. The client must send the Client ID in parameter, as for a implicit flow scenario.<\/p>\n\n\n\n<p>The user fills the credentials and submit the form to <code>check <\/code>endpoint.<\/p>\n\n\n\n<p>The REST APi receive the credentials as long with the Client ID.<br>The REST API calls the authentication module which checks password.<\/p>\n\n\n\n<p>If ok, the module calls the URL that generate a valid token for a \u00ab\u00a0client Credential\u00a0\u00bb client type then sends back the token to the client.<\/p>\n\n\n\n<p>In this scenario, there is no code conversion into a token whici is delivered directly, instead (as <em>Implicit flow<\/em>)<br>We assume that the client is a trusted application.<\/p>\n\n\n\n<p>Following is the custom login page.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"646\" src=\"https:\/\/gpmfactory.com\/wp-content\/uploads\/2024\/03\/image-1024x646.png\" alt=\"\" class=\"wp-image-5727\" srcset=\"https:\/\/gpmfactory.com\/wp-content\/uploads\/2024\/03\/image-1024x646.png 1024w, https:\/\/gpmfactory.com\/wp-content\/uploads\/2024\/03\/image-300x189.png 300w, https:\/\/gpmfactory.com\/wp-content\/uploads\/2024\/03\/image-768x485.png 768w, https:\/\/gpmfactory.com\/wp-content\/uploads\/2024\/03\/image-200x125.png 200w, https:\/\/gpmfactory.com\/wp-content\/uploads\/2024\/03\/image.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In our case, Login page is provided by a GET endpoint (login) which generates all the HTML markup in order to display the login page.<\/p>\n\n\n\n<p>Credentials are sent to a POST endpoint (auth) along with the client_id.<br>A function in a package (OAUTH_PKG) checks if the credentials ar corrects, checks the validity of the client_id then asks for a token as for a \u00ab\u00a0client credentials\u00a0\u00bb flow.<br>The client secret is read directly form the ORDS dictionary.<\/p>\n\n\n\n<p>It&rsquo;s possible to add a redirect url to the client definition in order to mimic an \u00ab\u00a0implicit grant\u00a0\u00bb flow or the the token can be sent directly in a payload to the app <\/p>\n\n\n\n<p>Drawbacks<\/p>\n\n\n\n<p>Not possible to use a refresh token. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p> <\/p>\n\n\n\n<p> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scenario Use OAUTH with a custom authentication in an enterprise context. We have to build a mobile application for an enterprise with hundreds of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"ppma_author":[150],"class_list":["post-5721","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"authors":[{"term_id":150,"user_id":1,"is_guest":0,"slug":"admin8700","display_name":"Patrick","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/209d5ed69b74d288390621ab4c1d3773?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts\/5721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/comments?post=5721"}],"version-history":[{"count":15,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts\/5721\/revisions"}],"predecessor-version":[{"id":5741,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts\/5721\/revisions\/5741"}],"wp:attachment":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/media?parent=5721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/categories?post=5721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/tags?post=5721"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/ppma_author?post=5721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}