OAuth 2 provider for Frappe Apps

revant_one · October 25, 2016, 1:52pm

Testing OAuth 2.0 with Postman

Under Authorization tab select Type as OAuth 2.0

02-select-oauth-2.0.png1317×744 32.6 KB

Click on Get New Access Token button and enter the details about client_id, urls, scope.
Note: redirect_uri must be set to the one given by Postman so that the token is received.

03-new-access-token.png1317×744 57.2 KB

Login to frappe with your credentials (If skip authorization checked in Oauth Client, no confirmation dialog will be shown)

04-login.png1024×744 18.4 KB

On successful login token will be received

05-Token.png1317×744 63.7 KB

Use token in request header to access protected resource with user’s credentials
e.g. /api/resource/ToDo

06-fetch-data.png1317×744 49.9 KB

strixaluco · October 28, 2016, 8:51am

Thank you for contribution.
Does this provider support OAuth 1 as well? Just curious because oauthlib supports both 1 and 2 versions of OAuth.

After reading Wikipedia article, thought that this guide can be useful: http://www.oauthsecurity.com/

revant_one · October 28, 2016, 10:10am

I’ve only added OAuth2 support.

Further development:

https://github.com/frappe/frappe/pull/2227

revant_one · October 31, 2016, 4:58pm

OpenID connect and Social Login for Frappe is now added

https://github.com/revant/frappe/blob/develop/frappe/docs/user/en/guides/integration/openid_connect_and_frappe_social_login.md

I’ve tested it few times.

Developers outside frappe ecosystem can now use their platforms along with frappe.

Now we can develop microservices!

example bearer token with id_token

{
  "token_type": "Bearer",
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6Imp3dCJ9.eyJpc3MiOiJodHRwczovL21udGVjaG5pcXVlLmNvbSIsImF0X2hhc2giOiJOQlFXbExJUy1lQ1BXd1d4Y0EwaVpnIiwiYXVkIjoiYjg3NzJhZWQ1YyIsImV4cCI6MTQ3Nzk1NTYzMywic3ViIjoiNWFjNDE2NThkZjFiZTE1MjI4M2QxYTk0YjhmYzcwNDIifQ.1GRvhk5wNoR4GWoeQfleEDgtLS5nvj9nsO4xd8QE-Uk",
  "access_token": "ZJD04ldyyvjuAngjgBrgHwxcOig4vW",
  "scope": "openid",
  "expires_in": 3600,
  "refresh_token": "2pBTDTGhjzs2EWRkcNV1N67yw0nizS"
}

Part 1 : on Frappe Identity Provider (IDP)

Login to IDP

Add OAuth Client on IDP

Set Server URL on IDP

Part 2 : on Frappe App Server

Set `Frappe Client ID` and `Frappe Client Secret` on App server (refer the client set on IDP)

Note: Frappe Server URL is the main server where identities from your organization are stored.

Login Screen on App Server (login using frappe)

Part 3 : Redirected on IDP

login with user on IDP

Confirm Access on IDP

Part 4 : Back on App Server

Logged in on app server with ID from IDP

Pau_Rosello_Van_Scho · April 17, 2017, 6:45pm

Thanks! This was really usefull!

I was wondering if there is any way to easily import roles from IDP to App Server.

As of right now I am thinking about making the following steps:

Allow to specify scope in frappe provider in OAuth Provider Settings
Create a new scope called roles
Include active roles on the profile callback
- Change “openid_profile” to a more generic profile?
Modify “update_oauth_user” in order to update roles on login

Do you think I am missing any steps?

As a last question, I saw on Github you were planning on using the OAUTH Token to query the API, is there any progress on this?

Regards!

revant_one · April 18, 2017, 6:51am

OAuth 2 Token from all request headers is validated.
this way it is working with many standard oauth2 clients like python rauth, postman.
I managed to connect Android Authenticator/SyncAdapter using standard OAuth2 Flow.

Community is also discussing about Magento OAuth 2 connector

reference:
https://github.com/frappe/frappe/blob/develop/frappe/api.py#L38
https://github.com/frappe/frappe/blob/develop/frappe/api.py#L131

Right now, access_token stores user and set the stored user in validate_oauth()

This gives access_token all the permissions user has.

Scopes are validated, i.e only the scopes stored in oauth 2 client are valid.

also if openid is present in scope id_token is sent along with response

So if you have ideas to connect scopes and roles it’ll be awesome!

For the steps, go for it! Fork Frappe develop branch and create a feature branch on your fork. Tag me on PR I’ll collaborate.

All above apps must not break after upgrade, If there is some change required we will also have to update documentation.

openid_profile endpoint
Standard Claims Draft: OpenID Connect Basic Client Profile 1.0 - draft 28

Roles Can be additional claim as mentioned Draft: OpenID Connect Basic Client Profile 1.0 - draft 28

aldoblack · August 24, 2017, 7:37pm

I am having JSONDecodeError here. Any idea?

revant_one · August 24, 2017, 11:10pm

Have you set Frappe Server URL under social login keys?

magic-overflow · February 23, 2018, 9:52am

Hi revant_one,

I kept reading every post related to OAuth2 on the forum, but I’m still scratching my head what’s next.

I have a form login on android which user login through api http://frappe.local:8000/api/method/login
I use CookieManager but I want user keep login unless they logout. Then I started reading Oauth2 on forum as session never expired by using refresh_token.

I successfully setup OAuth2 on server and I expected it works like:
User log in the form in the App, by username & password then got access_token and refresh_token back… in response.
But it seems not. I might misunderstand about OAuth2. https://frappe.io/docs/user/en/guides/integration/using_oauth

Can you just tell the flow of user login by form and get get_token back?

revant_one · February 23, 2018, 1:04pm

Following is explanation of Authorization Code / Refresh Token grant.

first call : authorize

It checks if user is logged in,

if user is logged and authorizes the access to resource the server return a “Authorization Code” to the redirect uri. i.e your app

Processing response of first call:

there is an endpoint on your app that accepts GET request. the Auth Code comes back here as a parameter. e.g. /process_code?code=abc123

Second call : get_token

take the Auth code caught on the redirect url endpoint in the processing step above, and ask for a token with this code. (make POST request or use oauth client libraries available)

This time the response is the bearer token. Use this bearer_token.access_token for access.

Third call get_token (on expiry of previous bearer token)

Use bearer_token.refresh_token to get new bearer_token seamlessly.

Fourth call (to keep the server clean from used up tokens, optional but recommended)

you can revoke_token the expired bearer token after you refresh token.

magic-overflow · February 25, 2018, 6:35am

Thanks revant_one,

I’m crystal clear how it works now.

MaysaaSafadi · May 12, 2018, 11:09am

Hi @revant_one
I would like to thank you for your explanation about OAuth 2 . I already used it in my mobile app., and followed your instructions in this topic and in the others, but I want more explanation about revoke_token,the purpose? and when I should do it ?
Also , Is the OAuth 2 always depends on the cookies and sessions data?
the last question is about refresh_token, I can not have any response from it, althought I used the responded token from get_token as mentioned here https://frappe.io/docs/user/en/guides/integration/using_oauth
but I got this msg

Thanks
Maysaa

revant_one · May 12, 2018, 12:22pm

revoke_token endpoint revokes the bearer_token. Revoke token after using refresh_token and getting a new valid token, revoke the expired token. This way it is cleaned up from server

Any client connected using it will be revoked.
If token is expired, refresh_token remains valid.
If token is revoked, refresh_token can’t be used and
Revoked tokens will be cleaned up from the server

No it doesn’t depend on cookies or session, It just checks for valid access token in header instead of cookie in header.

The only place where it depend on browser and cookies is the “authorization screen”; the allow/deny app screen.

Under
OAuth Client > Advance Settings > Grant Type select Authorization Code
and
Response Type select Code

Implicit/Token doesn’t allow refreshing the token.

MaysaaSafadi · May 21, 2018, 12:39pm

Thanks @revant_one
But about refresh_token, I already fill the same values in my site, and the same response

revant_one · May 21, 2018, 2:55pm

Can you share the Postman requests in Python / CURL?

MaysaaSafadi · June 5, 2018, 11:26am

Here my request and the same result

MaysaaSafadi · June 5, 2018, 11:44am

@revant_one I have some trubbles with OAuth 2 authorization way,
Now I used it in my mobile app as the following steps:

get the authorization code and login using frappe.integrations.oauth2.authorize
get the token of that code by frappe.integrations.oauth2.get_token
call the first frappe api “api/resource/Attendance” with Authorizaton: Bearer <bearer_token>

now the problem is when another user tried to login and call an api, it will execute it with the last authorized user!
Is it important to do the authorize and get the token process in each api call?
give me the right way and concept to do that in frappe plz
Thanks
Maysaa

revant_one · June 5, 2018, 4:21pm

The token is tied to user, if that specific token is used it is like making request as that user.

As long as user is logged in to a session on a browser, authorize endpoint is accessed through browser with existing session.

No, you can use the token for 1 hr. Then refresh it.

MaysaaSafadi · June 5, 2018, 7:49pm

My case is with Mobile app that call some api’s from frappe, now I noticed that the requests depends on the user session, but in my Mobile app i just used the Auth 2 authorization to get a token in order to be in all the user request. and when i apply this logic, I faced a problem with multi user login, as my frappe server always using the last bearer token stored in the auth table, so when any user call an api it will called with the last stored token whatever whom the logged user.
I can not solve it by this protocol, but I need a solution to complete my app perfectly, Is this way is right for my case as you see?