From sgcWebSockets 2022.3.0, you can use external OAuth2 Providers to Authenticate the Requests received by your server.
The OAuth2 Server Provider Component allows to integrate External OAuth2 Providers (like Azure AD, Google, Facebook...) in your server component (like an HTP server), so an user can login using the Azure AD credentials and if the authentication is successful, the HTTP server can provide access to protected resources.
The OAuth2 Provider Server Component allows to Authenticate using an External OAuth2 Provider (like Azure AD, Google...) to access the protected resources of your server. Example: you can configure your HTTP Server and allow login using the Azure Credentials to your uses, so if the login is successful, you will allow to enter to the protected resources of your server to these users.
The Authentication process is done from the server side and the OAuth2 tokens are not shared with the clients, this means that when the user logins using Azure for example, if the authentication is successful, Azure returns an Access Token that allows to send requests to the Azure server to get some information (depending of the scope) about the user profile, emails... This Access Token IS NOT SHARED with the client (example a web-browser), instead of returning the Access token to the client, the server creates a random ID that it's linked internally with the Access Token, so every time the Client (Web Browser) wants to do a call to the OAuth2 Server, uses the public ID and the server uses this ID to get the OAuth2 Access Token to proxy the HTTP Requests.
Find below an example of how the OAuth2 Authentication works. The example will use the Azure AD configuration described in the following link OAuth2 Provider Azure AD.
Start the Server
The server starts listening on localhost and port 443. The sgcWebSockets HTTP Server is linked to the OAuth2 Server Provider Component and the Authentication property is enabled.
Before the server is started, the Azure OAuth2 Provider is registered using the following method call.
RegisterProvider(
'azure',
'90945b8d-f6b7-4b97-b2bd-21c3c90b5f3x',
'PN67Q~5m06c-~X_GMyMf9zMntmm5l2dt~3jVq',
'https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/authorize',
'https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/token',
'user.read',
'/login',
'https://localhost/callback'
);
User Logins
The user opens a new web browser and go to '/login' endpoint.
The server detects that the '/login' endpoint is used to login using the Azure provider so redirects to
https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/authorize
And the OAuth2 authentication Flow Starts.
OAuth2 Authentication
The user is redirected to the OAuth2 Server Authentication Endpoint, now he must login using the credentials and accept the terms of the OAuth2 Application.
If the authorization is successful, Azure AD sends a Code to the url
https://localhost/callback
Validate the OAuth2 Code
Now, the server has received a code from Azure and it will do an internal connection to Azure (from server to server) to validate this token is correct (and avoid someone is trying to hack the server).
The server connects to
https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/token
Passing some paramenters like the code received and the clientsecret, if the validation is successful, Azure returns the Access Token that can be used to access the Azure Protected Resources like read the profile, email...
Successful Access Token
When the server receives a success full AccessToken, the event OnOAuth2ProviderTokenValid is called, so here you can configure how the AccessToken is stored (if it is) accessing to the parameter class TsgcHTTPOAuth2ProviderToken
AccesToken: is the OAuth2 Token returned by Azure
ID: is the public identifier stored as a cookie.
In this event you can configure what to do after a successful authentication, example: if you want to redirect the user to the private url, use the following
Response.Redirect.URL := 'https://localhost/private';
Send Requests to Azure
Now, you can send requests to the Azure server using the Public ID stored as a cookie.
Example: if you want to read the profile data, use the following method.
Get('ID', 'https://graph.microsoft.com/v1.0/me');
Where ID is the public ID identifier.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.