Forums de discussion

OAuth authentication for JSON WS

Srijit Saini, modifié il y a 6 années.

OAuth authentication for JSON WS

New Member Publications: 12 Date d'inscription: 09/03/16 Publications récentes
We know there is plugin portlet i.e OAuth Client Portlet, but thats for authenticating the whole portlet,
my requirement is to authenticate only the JSON Web Services exposed for a custom portlet.
By default the web services are authenticated using Basic Auth. I jsut want to know is it possible to use OAuth for authenticating & how?
thumbnail
Andrew Jardine, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes
I've personally not tried to do what you are trying to do - and the simplest solution might be to apply role based permissions so that one set of users don't have access to the rest of the application. With that said, just looking at the configurations in the portal.properties, you might be able to manage what you are trying to do by hooks the auth classes to provide your own implementation.

For example, we can see the property --

auth.verifier.pipeline=com.liferay.portal.security.auth.BasicAuthHeaderAutoLogin,com.liferay.portal.security.auth.DigestAuthenticationAuthVerifier,com.liferay.portal.security.auth.ParameterAutoLogin,com.liferay.portal.security.auth.PortalSessionAuthVerifier,com.liferay.portal.security.auth.TunnelingServletAuthVerifier


In this list, we're most interested in the PortalSessionAuthVerifier because of the settings just below it --

 #
    # PortalSessionAuthVerifier
    #
    auth.verifier.PortalSessionAuthVerifier.hosts.allowed=
    auth.verifier.PortalSessionAuthVerifier.urls.includes=\
        /api/json/*,\
        /api/jsonws/*,\
        /c/portal/json_service/*


I'd be inclined to try to add my own auth verifier to used the OAuth tokens to validate the user making the request, to see if that did the trick. Worst case scenario, you could use an EXT plugin to change, or extend and augment the PortalSessionAuthVerifier class.

With that said, I would try to do it using configurations using the permissions framework in Liferay first. I'm weary of altering the security pipeline in Liferay not just for the upgrade path, but for fear or opening a security hole emoticon
Srijit Saini, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

New Member Publications: 12 Date d'inscription: 09/03/16 Publications récentes
Hi Andrew,
My only concern is, using Basic Auth the token that is created will always be the same, as its generated using user credentials that could be a security concern, so can we use some other way to generate tokens, that can be refreshed after a time, like its achieved in oAuth or in any other 3rd party plugin.
Sébastien Morhan, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

New Member Publications: 4 Date d'inscription: 05/12/14 Publications récentes
Hi

Have you managed to implement the Oauth check with on /api/jsonws ?

We have to do the same so I am interested in your solution.

Thanks
Srijit Saini, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

New Member Publications: 12 Date d'inscription: 09/03/16 Publications récentes
Hi Sébastien,
I have looked into it for quite a while, but haven't got any solution for it.
So if you find something pls do post it.

Thanks
thumbnail
Andrew Jardine, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes
I'm going to see if I can jump back into this thread to help out some more. I think maybe what I am missing right now is the full picture of what you are trying to achieve. Is the goal here to us an OAuth based authentication, but only to access the JSON API? Are you hoping to use an external application to access Liferay (in a way, headless let's say)?
Srijit Saini, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

New Member Publications: 12 Date d'inscription: 09/03/16 Publications récentes
Yes exactly this is what is needed. There is an independent mobile application which is consuming the liferay's JSON web services, so I want them to be secured by OAuth, but as we know liferay JSONWS are by default secured by Basic Auth, but thats not much secured, as token remains the same unless user creds are changed.
thumbnail
Andrew Jardine, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes
I have more questions.

Your mobile application is used to access the JSON API. Let's assume for the moment that my phone has your app installed. Let's also assume that there is an actual Liferay site out there somewhere which this JSON API is connected where the data you are retrieving is coming from. When my phone is accessing the services, is it doing so as "me" -- meaning I have a login that I can use to also access the Liferay site? or is my phone meant to access the services generically (no user context)?
Srijit Saini, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

New Member Publications: 12 Date d'inscription: 09/03/16 Publications récentes
The site has been built as an organization portal, so all the employees have an account on it, now we have to build an app which will be showing the data from the portal for the logged in usser.
thumbnail
Andrew Jardine, modifié il y a 6 années.

RE: OAuth authentication for JSON WS

Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes
Hi Srijit,

Ok, so then we have come full circle on this conversation I think. Just incase you are not aware, Liferay does have a mobile SDK that you can use to generate a library that can be included in your mobile project. As part of this library, there exists the ability to generate a secure session.

Liferay 6.2: https://dev.liferay.com/develop/tutorials/-/knowledge_base/6-2/mobile
Liferay 7: https://dev.liferay.com/develop/tutorials/-/knowledge_base/7-0/mobile

.. I would start with integrating this piece in and validating that you are able to create a session that you can then use to query the server from your mobile app -- just using the basic auth. Once you have that working then you will have validated the communication and the auth pipeline between the two apps. At this point I would turn my attention to the portal itself. Forget the mobile application for the moment. I would focus on how to provide OAuth as an authentication type for the portal. If you are using the EE version of the product, this support actually exists as a plugin that you can install from the marketplace (native in DXP). If you are on the community edition, then you can roll your own by writing the code you need to customize the autu pipeline (custom authenticators, auto-login classes, etc). One of the things I love about Liferay is that you don't "have to choose" between one auth type and another. You can actually configure several and Liferay will try them one after the other in a chain until one of them succeeds. This means that you can continue to use basic auth, or ntlm or whatever for you main site, but OAuth for your mobile app.

At a high level, this is what I would try. THe only other alternative I can think of off the top of my head would be wiring Liferay up to a SSO architecture so that all authentication is delegated to a third part tool like CAS, or OpenSSO/AM etc.
thumbnail
krishna patel, modifié il y a 5 années.

RE: OAuth authentication for JSON WS

New Member Publications: 14 Date d'inscription: 21/05/18 Publications récentes

I have implemented custom Auth pipeline in Liferay 6.2 by Hook. you can add any Authentication service. I have used JWT(JSON Web Token). here is my demo project (github).

 

Thanks

 

thumbnail
Andrew Jardine, modifié il y a 5 années.

RE: OAuth authentication for JSON WS

Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes

Hi Krishna,

 

Very cool! Thanks for sharing -- I'll be sure to check it out :)