acoumb
commented
1 year ago Included with this PR some additional changes to Authorized Services:
- removed
TokenEncryptionKeyas the focus is on the encryptor usingIDataProtectionProvider. - extended configuration to support OAuth with Proof Key for Code Exchange (with OAuth 2.1 its recommended to be used as an extra layer of security). This will be toggled using the
UseProofKeyForCodeExchangeflag. A flow description can be found here. - grouped
State,Code VerifierandCode Challengeauthorization parameters into anAuthorizationPayloadobject that is cached between authorization and access token request. - back action routing.
- display configuration in the editor view.
- updated documentation - screenshots included.
Testing with Aprimo succeeded with some "hacking", because the OAuth app is managed by them and I cannot change the redirect uri myself. Had to manually copy URL parts and jump between sessions to get some results. After Easter and release of the Aprimo package, I will address this with them and have the URL changed.
Current PR contains the implemented features for encrypting/decrypting access tokens and refresh tokens using the
IDataProtectionProviderand state handling for OAuth requests during the authorization flow.The tokens are encrypted in the storage provider during the CRUD operations, and maybe we can also consider encrypting the settings
TokenEncryptionKeykey usingAES.For authorization requests, a random string is generated for the service and used in the authorization request sent to the provider. The value is cached temporarily using a Singleton dictionary and validated during the service response evaluation. Then it gets removed from the cache.