107 lines
2.6 KiB
ReStructuredText
107 lines
2.6 KiB
ReStructuredText
WebServices / API
|
||
=================
|
||
|
||
Presentation
|
||
------------
|
||
|
||
WebServices and API are mostly requested by an application, and not the
|
||
end-user itself. In this case, you can not rely on LL::NG standard
|
||
Handler to protect the webservice, as it will expect a cookie, which is
|
||
not defined in the application requesting the service.
|
||
|
||
LL::NG offers several solutions to protect this kind of service.
|
||
|
||
ServiceToken Handler
|
||
--------------------
|
||
|
||
Two Handlers will be used:
|
||
|
||
- The frontal Handler that will protect the web application, and will
|
||
forge a specific token
|
||
- The backend Handler that will protect the web service, and will
|
||
consume the token
|
||
|
||
See :doc:`ServiceToken Handler documentation<servertoserver>`.
|
||
|
||
OAuth2 endpoints
|
||
----------------
|
||
|
||
We suppose here that LL::NG is acting as
|
||
:doc:`OpenID Connect provider<idpopenidconnect>`. The web application
|
||
will then be able to get an access token from LL::NG. This token could
|
||
be sent to the webservice that can then validate it against LL::NG
|
||
OAuth2 endpoints.
|
||
|
||
UserInfo
|
||
~~~~~~~~
|
||
|
||
You can use the UserInfo endpoint, which requires the access token to
|
||
deliver user attributes.
|
||
|
||
For example:
|
||
|
||
::
|
||
|
||
curl \
|
||
-H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" \
|
||
https://auth.example.ccom/oauth2/userinfo | json_pp
|
||
|
||
.. code-block:: javascript
|
||
|
||
{
|
||
"family_name" : "OUDOT",
|
||
"name" : "Clément OUDOT",
|
||
"email" : "clement@example.com",
|
||
"sub" : "coudot"
|
||
}
|
||
|
||
Introspection
|
||
~~~~~~~~~~~~~
|
||
|
||
Introspection endpoint is defined in `RFC
|
||
7662 <https://tools.ietf.org/html/rfc7662>`__. It requires an
|
||
authentication (same as the authentication for the token endpoint) and
|
||
takes to access token as parameter.
|
||
|
||
For example:
|
||
|
||
::
|
||
|
||
curl \
|
||
-H "Authorization: Basic bGVtb25sZGFwOnNlY3JldA==" \
|
||
-X POST -d "token=a74d504ec9e784785e70a1da2b95d1d2" \
|
||
https://auth.example.com/oauth2/introspect | json_pp
|
||
|
||
.. code-block:: javascript
|
||
|
||
{
|
||
"client_id" : "lemonldap",
|
||
"sub" : "coudot",
|
||
"exp" : 1572446485,
|
||
"active" : true,
|
||
"scope" : "openid profile address email phone"
|
||
}
|
||
|
||
OAuth2 Handler
|
||
--------------
|
||
|
||
We also suppose here that LL::NG is acting as
|
||
:doc:`OpenID Connect provider<idpopenidconnect>`. But the webservice
|
||
will be protected by the OAuth2 Handler and will just have to read the
|
||
HTTP headers to know which user is connected.
|
||
|
||
::
|
||
|
||
curl \
|
||
-H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" \
|
||
https://oauth2.example.ccom/rest/myapi
|
||
|
||
.. code-block:: javascript
|
||
|
||
{
|
||
"check" : "true",
|
||
"user" : "coudot"
|
||
}
|
||
|
||
See :doc:`OAuth2 Handler documentation<oauth2handler>`.
|