By Admin on Friday, 11 March 2022
Category: All

Authorization using External OAuth2 Providers

​From sgcWebSockets 2022.3.0, you can use external OAuth2 Providers to Authenticate the Requests received by your server.

The OAuth2 Server Provider Component allows to integrate External OAuth2 Providers (like Azure AD, Google, Facebook...) in your server component (like an HTP server), so an user can login using the Azure AD credentials and if the authentication is successful, the HTTP server can provide access to protected resources.

OAuth2 Server Provider Flow 

The OAuth2 Provider Server Component allows to Authenticate using an External OAuth2 Provider (like Azure AD, Google...) to access the protected resources of your server. Example: you can configure your HTTP Server and allow login using the Azure Credentials to your uses, so if the login is successful, you will allow to enter to the protected resources of your server to these users.

The Authentication process is done from the server side and the OAuth2 tokens are not shared with the clients, this means that when the user logins using Azure for example, if the authentication is successful, Azure returns an Access Token that allows to send requests to the Azure server to get some information (depending of the scope) about the user profile, emails... This Access Token IS NOT SHARED with the client (example a web-browser), instead of returning the Access token to the client, the server creates a random ID that it's linked internally with the Access Token, so every time the Client (Web Browser) wants to do a call to the OAuth2 Server, uses the public ID and the server uses this ID to get the OAuth2 Access Token to proxy the HTTP Requests.

Find below an example of how the OAuth2 Authentication works. The example will use the Azure AD configuration described in the following link OAuth2 Provider Azure AD.

Start the Server

The server starts listening on localhost and port 443. The sgcWebSockets HTTP Server is linked to the OAuth2 Server Provider Component and the Authentication property is enabled.

Before the server is started, the Azure OAuth2 Provider is registered using the following method call.

RegisterProvider(
'azure',
'90945b8d-f6b7-4b97-b2bd-21c3c90b5f3x',
'PN67Q~5m06c-~X_GMyMf9zMntmm5l2dt~3jVq',
'https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/authorize',
'https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/token',
'user.read',
'/login',
'https://localhost/callback'
);

User Logins

The user opens a new web browser and go to '/login' endpoint.

The server detects that the '/login' endpoint is used to login using the Azure provider so redirects to

https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/authorize

And the OAuth2 authentication Flow Starts.

OAuth2 Authentication

The user is redirected to the OAuth2 Server Authentication Endpoint, now he must login using the credentials and accept the terms of the OAuth2 Application.

If the authorization is successful, Azure AD sends a Code to the url

https://localhost/callback

Validate the OAuth2 Code

Now, the server has received a code from Azure and it will do an internal connection to Azure (from server to server) to validate this token is correct (and avoid someone is trying to hack the server).

The server connects to

https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/token

Passing some paramenters like the code received and the clientsecret, if the validation is successful, Azure returns the Access Token that can be used to access the Azure Protected Resources like read the profile, email...

Successful Access Token

When the server receives a success full AccessToken, the event OnOAuth2ProviderTokenValid is called, so here you can configure how the AccessToken is stored (if it is) accessing to the parameter class TsgcHTTPOAuth2ProviderToken

AccesToken: is the OAuth2 Token returned by Azure

ID: is the public identifier stored as a cookie.

In this event you can configure what to do after a successful authentication, example: if you want to redirect the user to the private url, use the following

Response.Redirect.URL := 'https://localhost/private';

Send Requests to Azure

Now, you can send requests to the Azure server using the Public ID stored as a cookie.

Example: if you want to read the profile data, use the following method.

Get('ID', 'https://graph.microsoft.com/v1.0/me');

Where ID is the public ID identifier.

Download OAuth2 Azure AD Compiled demo for Windows 

Related Posts