search

umbraco / Umbraco.AuthorizedServices

Umbraco Authorized Services is an open-source package designed to reduce the effort needed to integrate third party services that require authentication and authorization via an OAuth flow.
MIT License
14 stars 7 forks source link

Enable override of BuildPayload() #21

Closed endstreet closed 1 year ago

endstreet commented 1 year ago

Hi awesome plugin.

I am adding this in response to you inviting enabling other services for your plugin. I enthusiastically installed the package for the obvious obfuscation of the Authorization methods.

I hit a snag when trying to do the first step of Authorizing the first defined service.

The BuildPayload() method is in a sealed class and uses a standard random no.

Our implication does something slightly different for additional security: e.g. : The Authorization header for the authorize call is not using a radnom number but rather:

            string auth = Convert.ToBase64String(Encoding.UTF8.GetBytes(clientId + ":" + secret));

            var headers = new List<KeyValuePair<string, string>>
            {
                new KeyValuePair<string, string>("Content-Type", "application/x-www-form-urlencoded"),
                new KeyValuePair<string, string>("Authorization", "Basic " + auth)
            };

Being able to override this method will expand the amount of services you will be able to service exponentially.

It is offered as a suggestion rather than a bug.

AndyButland commented 1 year ago

I think you could do this, but for code based extensions we'd be expecting that rather than looking to override BuildPayload on the concrete class you would register your own implementation of IAuthorizationPayloadBuilder (the interface that defines this method).

It looks though that you are looking to implement OAuth Client Secret Authentication, so perhaps we can consider this as another configuration based option for authenticating with services. Do you have a particular SaaS service you are looking to integrate with that uses this method?

endstreet commented 1 year ago

Thanks Andy, Indeed we are implementing OAuth Client Secret Authentication. In our case it is not a publicly available SAAS service but the implementation of a large international group.

mastrup commented 1 year ago

@endstreet Were you able to implement something that lets you authenticate?

I was hoping to use the package with the Client Credentials Grant flow that we use for our own APIs.

AndyButland commented 1 year ago

Client credentials grant flow is something we've worked on, but we haven't released and documented it yet. So it won't work with the current version of the package I'm afraid. Look out for an update in the upcoming weeks though.

AndyButland commented 1 year ago

We'll have support for client credentials grant flow with the next release of the package, due next Tuesday.