dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0546303dac
lemonldap-ng/doc/pages/documentation/current/webserviceprotection.html
Clément OUDOT b0bc316cfd Documentation update
2019-12-21 16:54:57 +01:00

180 lines
8.6 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:webserviceprotection</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,webserviceprotection"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="webserviceprotection.html"/>
<link rel="contents" href="webserviceprotection.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:webserviceprotection","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#servicetoken_handler">ServiceToken Handler</a></div></li>
<li class="level1"><div class="li"><a href="#oauth2_endpoints">OAuth2 endpoints</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#userinfo">UserInfo</a></div></li>
<li class="level2"><div class="li"><a href="#introspection">Introspection</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#oauth2_handler">OAuth2 Handler</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="webservicesapi">WebServices / API</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "WebServices / API" [1-33] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
WebServices and <abbr title="Application Programming Interface">API</abbr> are mostly requested by an application, and not the end-user itself. In this case, you can not rely on <abbr title="LemonLDAP::NG">LL::NG</abbr> standard Handler to protect the webservice, as it will expect a cookie, which is not defined in the application requesting the service.
</p>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> offers several solutions to protect this kind of service.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [34-392] -->
<h2 class="sectionedit3" id="servicetoken_handler">ServiceToken Handler</h2>
<div class="level2">
<p>
Two Handlers will be used:
</p>
<ul>
<li class="level1"><div class="li"> The frontal Handler that will protect the web application, and will forge a specific token</div>
</li>
<li class="level1"><div class="li"> The backend Handler that will protect the web service, and will consume the token</div>
</li>
</ul>
<p>
See <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">ServiceToken Handler documentation</a>.
</p>
</div>
<!-- EDIT3 SECTION "ServiceToken Handler" [393-695] -->
<h2 class="sectionedit4" id="oauth2_endpoints">OAuth2 endpoints</h2>
<div class="level2">
<p>
We suppose here that <abbr title="LemonLDAP::NG">LL::NG</abbr> is acting as <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID Connect provider</a>. The web application will then be able to get an access token from <abbr title="LemonLDAP::NG">LL::NG</abbr>. This token could be sent to the webservice that can then validate it against <abbr title="LemonLDAP::NG">LL::NG</abbr> OAuth2 endpoints.
</p>
</div>
<!-- EDIT4 SECTION "OAuth2 endpoints" [696-989] -->
<h3 class="sectionedit5" id="userinfo">UserInfo</h3>
<div class="level3">
<p>
You can use the UserInfo endpoint, which requires the access token to deliver user attributes.
</p>
<p>
For example:
</p>
<pre class="code">curl \
-H &quot;Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2&quot; \
https://auth.example.ccom/oauth2/userinfo | json_pp</pre>
<pre class="code file javascript"><span class="br0">&#123;</span>
  <span class="st0">&quot;family_name&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;OUDOT&quot;</span><span class="sy0">,</span>
  <span class="st0">&quot;name&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;Clément OUDOT&quot;</span><span class="sy0">,</span>
  <span class="st0">&quot;email&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;clement@example.com&quot;</span><span class="sy0">,</span>
  <span class="st0">&quot;sub&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;coudot&quot;</span>
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT5 SECTION "UserInfo" [990-1412] -->
<h3 class="sectionedit6" id="introspection">Introspection</h3>
<div class="level3">
<p>
Introspection endpoint is defined in <a href="https://tools.ietf.org/html/rfc7662" class="urlextern" title="https://tools.ietf.org/html/rfc7662" rel="nofollow">RFC 7662</a>. It requires an authentication (same as the authentication for the token endpoint) and takes to access token as parameter.
</p>
<p>
For example:
</p>
<pre class="code">curl \
-H &quot;Authorization: Basic bGVtb25sZGFwOnNlY3JldA==&quot; \
-X POST -d &quot;token=a74d504ec9e784785e70a1da2b95d1d2&quot; \
https://auth.example.com/oauth2/introspect | json_pp</pre>
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;client_id&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;lemonldap&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;sub&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;coudot&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;exp&quot;</span> <span class="sy0">:</span> <span class="nu0">1572446485</span><span class="sy0">,</span>
<span class="st0">&quot;active&quot;</span> <span class="sy0">:</span> <span class="kw2">true</span><span class="sy0">,</span>
<span class="st0">&quot;scope&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;openid profile address email phone&quot;</span>
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT6 SECTION "Introspection" [1413-2024] -->
<h2 class="sectionedit7" id="oauth2_handler">OAuth2 Handler</h2>
<div class="level2">
<p>
We also suppose here that <abbr title="LemonLDAP::NG">LL::NG</abbr> is acting as <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID Connect provider</a>. But the webservice will be protected by the OAuth2 Handler and will just have to read the HTTP headers to know which user is connected.
</p>
<pre class="code">curl \
-H &quot;Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2&quot; \
https://oauth2.example.ccom/rest/myapi </pre>
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;check&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;true&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;user&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;coudot&quot;</span>
<span class="br0">&#125;</span></pre>
<p>
See <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2 Handler documentation</a>.
</p>
</div>
<!-- EDIT7 SECTION "OAuth2 Handler" [2025-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink