Questions around OAuth2 integration

[bojanz]

I'm looking into integrating oauth2_server and Restful.

Problem #1 Restful's fancy error handling. oauth2_server_verify_access() likes to do that by itself (output 401 + the json body with additional info), that comes from the underlying library mostly. Now, there are only a few possible errors, so I could translate that into what a restful user would expect, but it wouldn't be consistent with the errors that the oauth2 endpoints (oauth2/authorize, oauth2/token) are throwing (those are completely outside restful so they can't be affected + the list is huge) So the question is whether to be inconsistent, or inconsiderate (by throwing our own errors and doing a drupal_exit() inside the authorization plugin)

Problem #2 Scopes. I need to have a way to specify a needed scope per action ("get" requires "view" but "post" requires "administration view" for example). I can add some settings to the plugin metadata, but it feels like there should be a way to describe the actions (what's in $controllers + authorization info, for starters)

[amitaibu]

@mateu-aguilo-bosch you seem to have more OAuth experience ^^

[amitaibu]

@bojanz @mateu-aguilo-bosch

to be inconsistent, or inconsiderate (by throwing our own errors and doing a drupal_exit() inside the authorization plugin)

I think inconsiderate by consistent would be better. Maybe we can try/ catch the errors thrown by oauth, and $e->getMessage() the original error message.

I need to have a way to specify a needed scope per action ("get" requires "view" but "post" requires "administration view" for example).

I was thinking about adding a feature to allow specifiying more options per endpoint, for example:

protected $controllers = array(
  '' => array(
    // Shorthand.
    \RestfulInterface::GET => 'getList',
  ),
  '\d+' => array(
    // Verbose
    \RestfulInterface::GET => array(
      'method'=> 'viewEntity',
      'access callback' => array($this, 'accessViewEntity'),
    ),
  ),
);

So the access could be moved to it's own method per endpoint.

[e0ipso]

I was thinking about adding a feature to allow specifiying more options per endpoint, for example:

+1

[e0ipso]

@bojanz, @amitaibu specifiying more options per endpoint has been already implemented. Does this unblock this?

https://github.com/Gizra/restful/pull/141

[amitaibu]

@bojanz are you still interested (+ have time) in trying to tackle this?

[wundo]

What is the status of the oAuth2 Integration?

This is a sine qua non for using this on @chuva-inc projects

[e0ipso]

@wundo unfortunately I don't think that there's any effort happening at this moment.

Maybe it's your chance for a contribution? :smiley:

[e0ipso]

Also, it would be amazing that @chuva-inc provided some kind of support for this contribution!

[e0ipso]

I wish I had more knowledge around OAuth2 to tackle this. I think it can be a game changer for a lot of people (like @wundo).

@amitaibu any chance you can look into this one?

[amitaibu]

@amitaibu any chance you can look into this one?

Apart of not knowing anything about Oauth(2), honestly, as much as I'd like to see it as part of RESTful, since I don't have a client work for it -- I'm currently not super motivated to personally do it. On the other hand, I promise to try and delegate it to someone else ;)

[amitaibu]

Also @bojanz is just lazy - all he does is make e-commerce completely awesome :wink:

[e0ipso]

Delegating is good! I actually feel it could be a separate contrib module.

On Fri, Nov 28, 2014, 19:45 Amitai Burstein notifications@github.com wrote:

Also @bojanz https://github.com/bojanz is just lazy - all he does is make e-commerce completely awesome [image: :wink:]

— Reply to this email directly or view it on GitHub https://github.com/Gizra/restful/issues/111#issuecomment-64920705.

[pjcdawkins]

Started work here, although I haven't addressed either of Bojan's questions yet. https://www.drupal.org/sandbox/pjcdawkins/2446745

My answer to question 1 would be that inconsistency is better than inconsiderateness. The OAuth2 API already has to be treated differently than a typical RESTful API call.

Scopes are harder. But I'm only making an authentication plugin at the moment - not bothering with authorization.

[e0ipso]

@pjcdawkins that is great to hear! Let me know if there is anything we can do to help you move forward with this.

[pjcdawkins]

Just FYI, I think it's more appropriate as a patch for the OAuth2 Server module (because it would have needed a smaller patch anyway) - so I'm going to continue work here: https://www.drupal.org/node/2451303

[e0ipso]

@pjcdawkins awesome!

Have you considered the possibility of writing restful_oauth2 as a new module that extends oauth2 instead of patching oauth2? I say that since this work will likely break backwards compatibility and will require a new oauth2 major version. This fact may throw back the maintainers to include your patch.

Maybe it's worth checking with https://www.drupal.org/u/hytse6c and https://www.drupal.org/u/hswong3i how they feel about this integration.

Again, thanks for the effort!

[pjcdawkins]

I mean the oauth2_server module. It's definitely not going to break BC

[pjcdawkins]

For what it's worth, I've committed a patch to OAuth2 Server which provides RESTful integration.

1) In your RESTful plugin, add

      'authentication_types' => array('oauth2'),

2) Set the oauth2_server_restful_server variable to the machine name of your OAuth2 server.

[e0ipso]

Yes! You rock @pjcdawkins!

Thanks for your work.

[tomflanagan]

I've worked with restful before, however now I am tasked with an interesting problem.

1 . We are building an app that uses a yammer login to get access to the content.

2. This app also needs to authenticate with a drupal application.

I was thinking of using OAuth2 for this. I am new the Oauth2 and having to use it to authenticate via an api. Is restful a good solution for this? Or am I maybe overthinking this and there is a simpler way?