Geek Answers Handbook

How do you write an OAuth2 server in Perl?

I am trying to wrap my head around OAuth2 and Perl (i.e. Net :: OAuth2) - specifically, setting up a RESTful API for the database and an application that uses it.

The Perl Oauth2 package brought me to Net :: OAuth2.

As I can understand, there are a few things I need to do (please correct me if I'm somewhere in the weeds):

  • On the server side: create a REST server (currently playing with a tiled one for this) that negotiates with the database.
  • Server side: create an authentication / authorization server (??)
  • Client application: uses WWW :: Mechanize (or some such) to communicate with the REST server.

In my head, here's how it works:

  • the client application has an API key (registered on the server (REST server? Auth server?) and baked to the client).
  • the user has an entry (username and password) in the table in the database on the server
  • the user launches the client application and tries to access the protected resource (say, to update the line) (again, for example, choosing the "do this thing" menu option on the client, the client translates this into a REST API URI, for example, http: // the. rest.server / api / thisthing )
  • server redirects client to server bit (authentication / authorization)
  • The server, client, and user make an OAuth magic dance to authenticate the user.
  • The server, client, and user do another OAuth magic dance to ensure that the user is allowed to see this resource URI.
  • If all is well, the server redirects the client to the original resource URI request (with any required auth parameters).

Is this a reasonable assessment of the process?

If so, does it make sense to have “authentication / authorization” as part of a REST server or as a completely separate server? (on the same equipment).

Net :: OAuth2 :: Profile :: WebServer perfectly explains what should happen on the client side.

Testing at http://cpansearch.perl.org/src/MARKOV/Net-OAuth2-0.55/t/ (unless I really am missing something) relate to working with the Net :: OAuth2 web server profile, which (again ) will be the "client application".

There are other examples of writing a client - connecting to an existing OAuth2 server, for example, Google API materials, but I can not find examples of writing a server ... (I completely agree with RTFM if I can find FM pointers!)

+8
perl
source share
1 answer

The general idea is to allow the central auth server to process credentials + generate tokens + policies (policy => this is an application allowed by this user).

First, let's talk about the OAuth server.
i) The server is responsible for the login page in which the user can enter their credentials.
ii) Checks the credentials, if it is correct, this server then checks which client application made the call, and checks whether this application is authorized by this user. - Here we are talking about the concept of areas.
iii) Generates an access / authorization token code for the application.
iv) When an API enters a client with an access token, the API must pass the token to this server itself. This is a server task to verify the contents of a token.

API now
i) The API must accept the token from the client application, transfer it to the server - get the unique identifier of the client from the server and return data to the client for this client.

For third-party applications ,
i) You must have a registration process. The client must have a client identifier and a secret. Google allows you to register with console .
ii) There must be an area that corresponds to each unique API. For example, when you make a Google OAuth application, you need to register your application for the scope - G +, picasa, google drive, etc.
iii) The access token is unique to scope and maps to the permissions granted to your application by the user. If the user client application selects only the G + region and gets access to the user, the application can use the token only for the G + endpoint.

A more detailed answer on how to implement the OAuth server can be found here: How does the efficient OAuth2.0 server / provider work?

+4
source share

More articles:


All Articles