« Back

What about OAuth?

Company Blogs April 19, 2013 By Igor Beslic Staff

Hi all, I'll share with you our latest progress made with supporting OAuth authorized requests. I'll make example with android application since I'm familiar with it (enough to display button).

OAuth server support comes as OAuth 1.0a spec based portlet plugin with application registration UI, user authorization approval and secure filter that checks validity of oauth credentials (thank you Tomas for the filter, and Ivica for all hours we spent together). OAuth is very pratical since it moves authentication actions to platform side (Liferay Portal), and application doesn't need handle security issues regarding credentials storing. If you are application developer, and want your application to access Liferay portal resources this could be a way to do it:

1. Go to OAuth admin

2. Register application

3. Get yours consumer key and secret

Now... You should take an OAuth api (scribe or signpost) and make your consumer application. My application is simple android application whic would do nothing awesome, but will make authorized document library access:

- make oauth request token and bring user to Liferay portal application authorization page. If user is not signed in, he/she would be asked to do it.

 

- Once user is signed in authorization page will be shown. After user confirms he/she grants access to her/his liferay resources Liferay redirects user to defined redirect URL (not clear from screenshots, but as a redirect I'm using my-application://www.liferay.com/something so that android browser knows where to pass redirect).

- user acces token and token secret are being stord in application properties, an I'm able to query portal (I'll grab some folders and display it):

So what do you think?

I used this links to assembly android application:

Threaded Replies Author Date
HI Igor! Looks really great! It is part of 6.2... Alexey Kakunin April 19, 2013 7:48 AM
Hi Alexey! Great to hear you. It is available... Igor Beslic April 20, 2013 1:18 AM
Hi, where can i find this plugin? is it in... Charly Wu May 8, 2013 3:23 AM
Hi Charly, I'm not sure about exact date, but... Igor Beslic June 21, 2013 1:21 AM
Great feature Igor, looking forward to using... Stian Sigvartsen April 21, 2013 3:15 AM
Hi Stian, I try to answer the SOAP question -... Tomas Polesovsky April 22, 2013 1:40 AM
Hi Igor, Veru usefull and appropriate to our... Corné Aussems April 21, 2013 11:42 PM
Is the actual version of the plugin or its... Laszlo Miklosik April 22, 2013 1:04 AM
Hi Laszlo, regarding to plugin, it implements... Ivica Cardic April 22, 2013 1:55 AM
Hi Laszlo, I'm not sure, I think... Igor Beslic April 22, 2013 2:01 AM
Great feature Igor. Can you please let me know... Tina Agrawal October 1, 2013 6:34 AM
Hi Tina, example shown fetches portal data... Igor Beslic October 1, 2013 8:15 AM
Thanks Igor. Will definitely try using it. Tina Agrawal October 1, 2013 8:28 AM
Hi Igor, I am not able to find this in 6.1 GA2... Tina Agrawal December 4, 2013 2:22 AM
Hi Igor, I am not able to find this in 6.1 GA2... Tina Agrawal December 4, 2013 2:22 AM
Hi Igor, The post is very nice. I just need... divya goyal October 18, 2016 6:38 PM
Hi Divya, thank you for compliments. Your... Igor Beslic October 24, 2016 12:41 AM
Hi Igor, Actually what I meant was to see if a... divya goyal October 24, 2016 12:56 AM
Hi Divya, this OAuth story is something... Igor Beslic October 24, 2016 4:14 AM
Hi Igor, I couldn't find such implementation... Gaurav Jain October 9, 2013 2:52 AM
[...] Ben Brown of South Worcestershire Shared... Anonymous October 16, 2013 3:19 PM
Hi Igor, From where i can download oAuth... devaki s December 4, 2013 3:23 AM
Hi, Can this be used when Liferay is acting as... Sameer Naik February 4, 2014 9:29 PM
[...] OAuth Configuration - OAuth Provider EE ... Anonymous October 6, 2015 8:29 AM

HI Igor! Looks really great! It is part of 6.2 - or this functionality will be available for 6.1 as plugin as well?
Posted on 4/19/13 7:48 AM.
Hi Alexey! Great to hear you.
It is available as plugin for 6.1 but after we finish all reviews and tests we will make it ready for 6.2.
Posted on 4/20/13 1:18 AM in reply to Alexey Kakunin.
Great feature Igor, looking forward to using it! Will this be available for the SOAP services as well? Any chance of getting access to a pre-release build / source (6.1 compatible) so I can have a go at integration Orbeon forms with permission controlled Liferay assets using this?
Posted on 4/21/13 3:15 AM.
Hi Igor,
Veru usefull and appropriate to our endeavours to secure mobile connections.
Thanks
Posted on 4/21/13 11:42 PM.
Is the actual version of the plugin or its sources available to the community? (I could not find them on the Liferay github repo's liferay-plugins directory).

Do you also plan to implement OAuth 2.0 Provider support?

From what I see OAuth 1.0.a consumer support is already built into Liferay's core (in class com.liferay.portal.oauth.OAuthManagerImpl) and it uses the scribe OAuth client library.

Is your OAuth 1.0.a Service Provider implementation relying on any of the available OAuth server side libraries (e.g. Spring Security)?

We also need OAuth support asap in one of our Liferay deployments and would like to implement a solution which is in-line with Liferay's roadmap regarding OAuth.

Thanks
Posted on 4/22/13 1:04 AM.
Hi Stian, I try to answer the SOAP question - the default configuration of OAuth authentication filter doesn't include SOAP services. Anyway, the filter is extensible enough to be used with any servlet => Yes, SOAP should work.
Posted on 4/22/13 1:40 AM in reply to Stian Sigvartsen.
Hi Laszlo,
regarding to plugin, it implements provider support so you can use Liferay as an oauth provider.
We used source from http://oauth.googlecode.com/svn/code/java/core/ as our base and then we added all additional needed stuff.
Regarding to OAuth 2.0, we will probably make implementation but I can't tell you when because the spec is finished recently, there are some implementations but thy are still immature.

For now the plugin should be available only for ee versions.

Best Regards
Posted on 4/22/13 1:55 AM in reply to Laszlo Miklosik.
Hi Laszlo, I'm not sure, I think com.liferay.portal.oauth.OAuthManagerImpl provides client access to OAuth provider for some core portlets. Only official OAuth provider implementation is this one.
Posted on 4/22/13 2:01 AM in reply to Laszlo Miklosik.
Hi,
where can i find this plugin? is it in marketplace?
Posted on 5/8/13 3:23 AM in reply to Igor Beslic.
Hi Charly, I'm not sure about exact date, but plugin will be available via market place.
Posted on 6/21/13 1:21 AM in reply to Charly Wu.
Great feature Igor. Can you please let me know how you are getting the Portal Data? Which API we need to call? Are these the SOAP Services that get called? And where can we download this portlet from?
Posted on 10/1/13 6:34 AM.
Hi Tina, example shown fetches portal data using JSON WS.
Available services could be examined if you refer path /api/jsonws at your portal instance. If you are at local host it should look like:
http://localhost:8080/api/jsonws

Developer documentation: https://www.liferay.com/documentation/liferay-portal/6.1/development/-/ai/json-w­eb-services
Wiki: https://www.liferay.com/community/wiki/-/wiki/Main/JSON+Web+Services

Portlet is available for Enterprise Edition only since 6.1 GA2
Posted on 10/1/13 8:15 AM in reply to Tina Agrawal.
Thanks Igor. Will definitely try using it.
Posted on 10/1/13 8:28 AM in reply to Igor Beslic.
Hi Igor,

I couldn't find such implementation in 6.2.0 CE RC3 release.

Is this not yet available there?
Posted on 10/9/13 2:52 AM.
[...] Ben Brown of South Worcestershire Shared ICT Service was present and gave a talk about how they are  hosting Liferay Portal using the Jelastic cloud. At some point I would really like to explore... [...] Read More
Posted on 10/16/13 3:19 PM.
Hi Igor, I am not able to find this in 6.1 GA2 Marketplace. Where can I download this from?
Posted on 12/4/13 2:22 AM in reply to Igor Beslic.
Hi Igor, I am not able to find this in 6.1 GA2 Marketplace. Where can I download this from?
Posted on 12/4/13 2:22 AM in reply to Igor Beslic.
Hi Igor,

From where i can download oAuth plugin? I am not seeing it in market place.
Posted on 12/4/13 3:23 AM.
Hi,

Can this be used when Liferay is acting as SAML2 IdP?
Posted on 2/4/14 9:29 PM.
[...] OAuth Configuration - OAuth Provider EE We need OAuth Provider EE plugin portlet which is available in Liferay’s marketplace. This is available for EE version only. We can download this from... [...] Read More
Posted on 10/6/15 8:29 AM.
Hi Igor,

The post is very nice. I just need one clarification regarding the plugin if can be used in different way, as to validate the security token sent by some third party and authorize the user to access the Portal as well as the other application.
Posted on 10/18/16 6:38 PM in reply to Igor Beslic.
Hi Divya, thank you for compliments. Your question is confusing. You may checkout https://en.wikipedia.org/wiki/OAuth to see what is OAuth used for and than decide if it suites your needs.
Posted on 10/24/16 12:41 AM in reply to divya goyal.
Hi Igor,

Actually what I meant was to see if a user is authenticated against any other system(facebook, google, twitter) and then tries to login into Portal without entering the password and we send the authentication token. Is it possible in liferay to authorize in such scenario.

As Liferay is using the LDAP authentication also. We want to have multiple authentication methods. Either user can login using the liferay portal with LDAP AD authentication, or liferay user can access the google application and authenticate there and then login into Portal using the oauth token.

Thanks in advance!!
Posted on 10/24/16 12:56 AM in reply to Igor Beslic.
Hi Divya, this OAuth story is something opposite to what you're looking for. You may check this blog https://web.liferay.com/web/wilson.man/blog/-/blogs/sso-via-facebook. For google and twitter authentication, you have to do your own development.
Posted on 10/24/16 4:14 AM in reply to divya goyal.