-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[request] OAuth2 plugin #169
Comments
Yes |
👍 |
1 similar comment
+1 |
Yes, OAuth is a planned and upcoming plugin. |
+1 |
4 similar comments
+1 |
+1 |
+1 |
+1 |
+1 * 100 |
👍 |
1 similar comment
+1 |
@nijikokun Is there a timeframe on when the plugin will be released? |
@samgaw here the plan for the coming 0.3 https://github.com/Mashape/kong/milestones/0.3.0 |
OAuth support in the 0.4 |
+1 and I think it'd be awesome if it supports multiple grant types(implicit, authorization code, etc) |
In the first implementation of the OAuth 2.0 plugin I would like to support the following grant types:
And support for refresh tokens. |
I would suggest doing the basic grant types:
|
Here are a few considerations on this plugin and a possible implementation flow. Let's consider a typical three-legged flow:
Here is the workflow: Login Authentication IssueThe OAuth 2.0 plugin on Kong will store all the client applications, authorization codes and access tokens inside Kong. Kong will be the only authority storing, creating and expiring this data. What Kong can't do is authenticate the user to make sure he's logged in, because Kong doesn't integrate with an existing Login system that the third-party service uses. This means that the third-party service needs to make sure the user is logged in before starting the OAuth authorization flow. This also means that the authorization process needs to be implemented in the third-party service frontend (to show the page that shows which scopes to accept), and backend (to securely provision an authorization From a technical perspective, the step 5 sends the following data to Kong: POST /oauth2_authorization HTTP/1.1
Host: kong:8001
Accept: application/json
Content-Type: application/x-www-form-urlencoded
client_id=VALUE&response_type=code&scope=email&state=VALUE&authenticated_userid=VALUE&authenticated_username=VALUE&provisioning_key=VALUE
This operation returns something like: {
"redirect_uri": "http://some/uri?code=ao182oin1kone9ah89shdansda"
} The Every other step is a regular OAuth 2.0 flow between the client and Kong. What the user needs to build to support OAuth ?
Thoughts? |
@thefosk yes this is the generally accepted method of approaching this issue |
perhaps it's better to prefix this comment with clarification:
generally speaking, everything before
from so, to simplify this: Q1: What does the Kong user needs to build to support OAuth? **Q2: What does the application developer need to build to use OAuth with Kong?**A:** follow standard oauth application flows. to that end, perhaps we should create a simple documentation to be used by Kong users to expose to their application developers (which is just the oauth2 flows spec) |
PR in the works here #341 |
My understanding of the project's goals was to essentially glue various internal APIs and microservices together. Within the scope of that context, does it not make sense for an OAuth plugin to focus on Kong acting as the provider rather than looking at 3rd party providers beyond the edge? |
@samgaw that's exactly what this plugin would be, Kong as the oAuth provider on the edge (or internal if used as such). |
You can find OAuth2 here: http://getkong.org/plugins/oauth2-authentication/ |
Hey guys, the 0.4.0 is out with OAuth 2.0 plugin support (http://getkong.org/plugins/oauth2-authentication/). Try it and break it :) |
Cheers Marco. Docs look great. I'll try setting up with a couple of different consumers over the weekend. |
Will Resource Owner/Password Credential be implemented in the OAuth plugin in Kong? |
Yep, thanks for requesting it. I just opened a new issue #448. |
@givmefive5 it has been implemented, pushed to master, and coming up in the next version. |
Thank you, will check it out 👍 |
) * chore(ci) [skip travis] move nightly releases to Jenkins * [skip travis] * [skip travis] split plugin tests out and login to docker when building the docker test image * [skip travis] try a different way of defining the KONG_VERSION env * [skip travis] skip the problematic builds * [skip travis] move the daily deploys out of travis.yml * [skip travis] wip debugging a sporadically failing test * fix(tests) adjust how we run the report mock server for a more reliable test * chore(ci) debug the environment variables available in jenkins [skip travis] * chore(ci) set the repository os name environment variable [skip travis] * test(reports) adjust how we check if the report server can run * chore(ci) adjust the jenkins setup [skip travis] * chore(wip) remove the integration tests to focus on getting the nightly releases to work * fix(ci) adjust how set set the bintray credentials [skip travis] * wip -- debugging daily releases to bintray [skip travis] * chore(ci) run only the xenial release [skip travis] * chore(ci) re-enable tests and other distribution releases * chore(ci) add the CI cron trigger chore(dependency) bump the kong-build-tools dependency (#168) chore(dependencies) adjust kong-build-tools dependency pin (#169) * chore(dependency) bump the kong-build-tools dependency * chore(ci) unpin the jenkins build from the kong-build-tools branch chore(nightly) build nightly arm release (#171) chore(ci) adjust cache settings for xenail nightly builds (#173)
) * chore(ci) [skip travis] move nightly releases to Jenkins * [skip travis] * [skip travis] split plugin tests out and login to docker when building the docker test image * [skip travis] try a different way of defining the KONG_VERSION env * [skip travis] skip the problematic builds * [skip travis] move the daily deploys out of travis.yml * [skip travis] wip debugging a sporadically failing test * fix(tests) adjust how we run the report mock server for a more reliable test * chore(ci) debug the environment variables available in jenkins [skip travis] * chore(ci) set the repository os name environment variable [skip travis] * test(reports) adjust how we check if the report server can run * chore(ci) adjust the jenkins setup [skip travis] * chore(wip) remove the integration tests to focus on getting the nightly releases to work * fix(ci) adjust how set set the bintray credentials [skip travis] * wip -- debugging daily releases to bintray [skip travis] * chore(ci) run only the xenial release [skip travis] * chore(ci) re-enable tests and other distribution releases * chore(ci) add the CI cron trigger chore(dependency) bump the kong-build-tools dependency (#168) chore(dependencies) adjust kong-build-tools dependency pin (#169) * chore(dependency) bump the kong-build-tools dependency * chore(ci) unpin the jenkins build from the kong-build-tools branch chore(nightly) build nightly arm release (#171) chore(ci) adjust cache settings for xenail nightly builds (#173)
### Summary #### libyaml 0.2.2 release - #95 -- build: do not install config.h - #97 -- appveyor.yml: fix Release build - #103 -- Remove unused code in yaml_document_delete - #104 -- Allow colons in plain scalars inside flow collections - #109 -- Fix comparison in tests/run-emitter.c - #117 -- Fix typo error - #119 -- The closing single quote needs to be indented... - #121 -- fix token name typos in comments - #122 -- Revert removing of open_ended after top level plain scalar - #125 -- Cherry-picks from PR 27 - #135 -- Windows/C89 compatibility - #136 -- allow override of Windows static lib name #### libyaml 0.2.3 release - #130 Fixed typo. - #144 Fix typo in comment - #140 Use pointer to const for strings that aren't/shouldn't be modified - #128 Squash a couple of warnings in example-deconstructor-alt - #151 Fix spelling for error message - #161 Make appveyor config be a hidden file - #159 Add CHANGES file - #160 Always output document end before directive (YAML 1.2 compatibility) - #162 Output document end marker after open ended scalars - #157 change cmake target name from libOFF.a to libyaml.a - #155 include/yaml.h: fix comments - #169 Fixed missing token in example - #127 Avoid recursion in the document loader. - #172 Support %YAML 1.2 directives - #66 Change dllexport controlling macro to use _WIN32
I guess you don't want a UI but is there any plans on Oauth2 authentication?
The text was updated successfully, but these errors were encountered: