Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resource Owner/Password Credential for OAuth2 #448

Closed
subnetmarco opened this issue Aug 6, 2015 · 9 comments
Closed

Resource Owner/Password Credential for OAuth2 #448

subnetmarco opened this issue Aug 6, 2015 · 9 comments
Assignees
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. plugins/oauth2

Comments

@subnetmarco
Copy link
Member

Implement the Resource Owner Password Credentials Grant.

@subnetmarco subnetmarco added the idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. label Aug 6, 2015
@subnetmarco subnetmarco self-assigned this Aug 6, 2015
@sonicaghi
Copy link
Member

+1

@matthewgo
Copy link

May I ask how the authentication flow of this grant will be?

What I have in mind based from reading the updated code and reviewing the Authorization Code grant is as follows:

  1. The client will connect to http://your.app.com/oauth2/token
  2. Kong redirects this request to an upstream server that will check if the client id, username and password fields are valid.
  3. This upstream server would send a post to Kong's your.api.com/oauth2/authorize to authorize the client.
  4. Kong then sends a response back to the client with the generated access token, refresh token, and expiry time.

Is this correct or am I missing out something? Thank you!

@subnetmarco
Copy link
Member Author

@givmefive5 it works in a similar way, just slightly in reverse order:

  1. The client will connect to an endpoint on your side, sending a bunch of OAuth2 parameters including username and password.
  2. You validate the username and password, and if they are correct, your make a POST request to Kong on the /oauth2/token endpoint sending all the parameters that the original client has sent, plus the provision_key (a secret that identifies it's you making the request) and authenticated_userid (a custom ID that identifies the user whose username and password belong to.
  3. Kong will generate a JSON output
  4. That you will just send back to the client as it is.

oauth2-flow2

@matthewgo
Copy link

Thanks @thefosk !

Another thing, just for clarification, provision_key only checks if the request for an access token came from a valid API right? We can still use the generated access token across all APIs under Kong and not just for the API that owns the provision_key right?

@subnetmarco
Copy link
Member Author

authenticated_userid can be any value that will allow you to identify the user later by reading the X-Authenticated-Userid header. In the docs we recommend using an ID because sometimes the username can change, while the ID should always be the same.

@subnetmarco
Copy link
Member Author

The provision_key is not part of the OAuth 2.0 flow per-se. During the provisioning process your backend will talk with Kong, and the provision_key is just a secret key that makes sure it's really you talking to Kong and not a malicious user.

The final client/application will never have anything to do with the provision_key. In the flow above, the provision_key is injected by your application on step 2.

@matthewgo
Copy link

Thanks @thefosk ! This is exactly what we need. Looking forward to your next version release with this!

@sonicaghi
Copy link
Member

✋ high five!

ctranxuan pushed a commit to streamdataio/kong that referenced this issue Aug 25, 2015
Former-commit-id: ad9fcbd3965648156c5e03990b2ba0945c910d72
@aswanyaugustine
Copy link

how are we creating username and password for Resource Owner/Password Credential for OAuth2 in KongApi?

hutchic pushed a commit that referenced this issue Jun 10, 2022
[ENGEN-450] chore(debian): remove EOLed 8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. plugins/oauth2
Projects
None yet
Development

No branches or pull requests

6 participants