cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastien Goasguen <>
Subject Re: [PROPOSAL] OAuth2 Single SignOn Integration
Date Tue, 15 Jul 2014 07:25:26 GMT

Seems to me you are doing it for browser based dashboard access only ?

How about if I want to use the API straight up, how do you integrate an Oauth workflow there

On Jul 15, 2014, at 1:35 AM, Santhosh Edukulla <> wrote:

> Hi Silvano,
> Few Notes:
> 1. We had implementation details mentioned i believe, but we didn't mentioned the design
details and workflows. 
> 2. We didn't mentioned whether it is 2 legged flow or 3 legged flow.
> 3. Not clear with this statement, "Once user is authorized by oauth2 server, javascript
code reads parameters in url",
> 4. Whats the difference between "oauth2.credentials.url" and "oauth2.baseurl", the later
is redirect uri? If yes, Where will have redirect uri hosted?
> 5. referring to the statement " When oauth2.baseurl, and oauth2.client.secret
are not set (default), oauthRequestUrl returns empty response and OAuth2
> authentication is turned off.",  can we use a flag to denote whether to use oauth flow
or not? If set to false, dont use it otherwise continue with default.
> 6. What about refresh token,i believe access token has limited life time? Any call back
mechanism to update with latest token if it gets expired?
> 7. Details like clientid,clientsecret needs to be encrypted when stored and retrieved
from global config?
> 8. How do we map the user logged in to roles and hierarchy inside CS? based on email
> 9.  What is the significance of these two parameters  mentioned?
> (defaults to "email")
> * oauth2.domainid
> 10. clientid and clientsecret key are based upon per tenant basis, so what if we want
to oauth mechanism from multiple tenants at any stage? 
> 11. Default values for clientid and clientsecret are loaded at which stage? during initial
installation and for which tenant?
> 12. How do we verify the validity of clientid and clientsecret values? If they are revoked?
possibility of revoke is there? 
> 13. If we understand, it is only to authenticate a user through oauth flow, we dont need
authorization part inside of cs? I mean, what do we mean by authorization from tenant once
access key is granted?
> 14. If access key is not stored, how do we get refresh token?
> 15. What is the default sequence of authentication in case if oauth fails? and order
in which a given authentication mechanism will be chosen?
> 16. Can we also show a ui, where user can enable\disable oauth setting for a given account?
here, possibility of mismatch with emailid based upon current implementation and oauth retrieved
emailid post authentication is there? how do we handle it?
> 17. Last, what is the significance of this feature, apart from authentication support
from third party clients? 
> Thanks!
> Santhosh
> ________________________________________
> From: Silvano Nogueira Buback []
> Sent: Monday, July 14, 2014 4:59 PM
> To:
> Subject: [PROPOSAL] OAuth2 Single SignOn Integration
> Hi gyus,
>    I need to implement OAuth2 integration to provide single sign-on with
> others tools in my company. I can share this implementation with the
> community if you are interested. I suggest these changes in code:
> 1. Create a new javascript called oauth2.js. This javascript is responsible
> for calling the new command called oauthRequestUrl that reads the global
> option "oauth2.baseurl" and returns this url plus "/authorize" with oauth2
> parameters. After receiving the answer, javascript redirects user to oauth2
> server.
> 2. Once user is authorized by oauth2 server, javascript code reads
> parameters in url and call oauthAuthorizeToken command. This command asks
> the oauth2 server by the access token, and if everything is ok, calls
> "oauth2.credentials.url" about user email and finds this user in the
> database, like ldap implementation does and returns authentication data.
> 3. Javascript fills g_loginResponse with answer from command and user is
> logged in.
>   What do you think about this approach?
> ---- More details ----
> Alternative flows:
> * When the url has parameter direct=true, the login dialog is shown.
> * When oauth2.baseurl, and oauth2.client.secret are not
> set (default), oauthRequestUrl returns empty response and OAuth2
> authentication is turned off.
> * If authorization token is invalid, user is redirected again to oauth2
> server.
> Commands:
> * oauthRequestUrl
> * oauthAuthorizeToken
> Global Options:
> * oauth2.baseurl
> *
> * oauth2.client.secret
> * oauth2.credentials.url: defaults to "/oauth2/v2/userinfo"
> * (defaults to "email")
> * oauth2.domainid
> Restrictions:
> * Domain Id will be a global option
> * Users are always redirected to oauth2 server. Access tokens are not
> stored.
> * Before using Cloudstack, the administrator must insert user in an account.

View raw message