OAuth 2 Token from all request headers is validated.
this way it is working with many standard oauth2 clients like python rauth, postman.
I managed to connect Android Authenticator/SyncAdapter using standard OAuth2 Flow.
Community is also discussing about Magento OAuth 2 connector
Right now, access_token stores user and set the stored user in validate_oauth()
This gives access_token all the permissions user has.
Scopes are validated, i.e only the scopes stored in oauth 2 client are valid.
also if openid is present in scope id_token is sent along with response
So if you have ideas to connect scopes and roles it’ll be awesome!
For the steps, go for it! Fork Frappe develop branch and create a feature branch on your fork. Tag me on PR I’ll collaborate.
All above apps must not break after upgrade, If there is some change required we will also have to update documentation.
I kept reading every post related to OAuth2 on the forum, but I’m still scratching my head what’s next.
I have a form login on android which user login through api http://frappe.local:8000/api/method/login
I use CookieManager but I want user keep login unless they logout. Then I started reading Oauth2 on forum as session never expired by using refresh_token.
I would like to thank you for your explanation about OAuth 2 . I already used it in my mobile app., and followed your instructions in this topic and in the others, but I want more explanation about revoke_token,the purpose? and when I should do it ?
Also , Is the OAuth 2 always depends on the cookies and sessions data?
the last question is about refresh_token, I can not have any response from it, althought I used the responded token from get_token as mentioned here https://frappe.io/docs/user/en/guides/integration/using_oauth
but I got this msg
@revant_one I have some trubbles with OAuth 2 authorization way,
Now I used it in my mobile app as the following steps:
get the authorization code and login using frappe.integrations.oauth2.authorize
get the token of that code by frappe.integrations.oauth2.get_token
call the first frappe api “api/resource/Attendance” with Authorizaton: Bearer <bearer_token>
now the problem is when another user tried to login and call an api, it will execute it with the last authorized user!
Is it important to do the authorize and get the token process in each api call?
give me the right way and concept to do that in frappe plz
My case is with Mobile app that call some api’s from frappe, now I noticed that the requests depends on the user session, but in my Mobile app i just used the Auth 2 authorization to get a token in order to be in all the user request. and when i apply this logic, I faced a problem with multi user login, as my frappe server always using the last bearer token stored in the auth table, so when any user call an api it will called with the last stored token whatever whom the logged user.
I can not solve it by this protocol, but I need a solution to complete my app perfectly, Is this way is right for my case as you see?