OAuth2 Provider | Authentication

The OAuth2 Provider Server Component allows to Authenticate using an External OAuth2 Provider (like Azure AD, Google...) to access the protected resources of your server. Example: you can configure your HTTP Server and allow login using the Azure Credentials to your uses, so if the login is successful, you will allow to enter to the protected resources of your server to these users.

 

The Authentication process is done from the server side and the OAuth2 tokens are not shared with the clients, this means that when the user logins using Azure for example, if the authentication is successful, Azure returns an Access Token that allows to send requests to the Azure server to get some information (depending of the scope) about the user profile, emails... This Access Token IS NOT SHARED with the client (example a web-browser), instead of returning the Access token to the client, the server creates a random ID that it's linked internally with the Access Token, so every time the Client (Web Browser) wants to do a call to the OAuth2 Server, uses the public ID and the server uses this ID to get the OAuth2 Access Token to proxy the HTTP Requests.

 

Find below an example of how the OAuth2 Authentication works. The example will use the Azure AD configuration described in the following link OAuth2 Provider Azure AD.

 

Start the Server

 

The server starts listening on localhost and port 443. The sgcWebSockets HTTP Server is linked to the OAuth2 Server Provider Component and the Authentication property is enabled.

Before the server is started, the Azure OAuth2 Provider is registered using the following method call.

 

  RegisterProvider(
    'azure',
    '90945b8d-f6b7-4b97-b2bd-21c3c90b5f3x',
    'PN67Q~5m06c-~X_GMyMf9zMntmm5l2dt~3jVq',
    'https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/authorize',
    'https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/token',
    'user.read',
    '/login',
    'https://localhost/callback'
    );

 

 

User Logins

 

The user opens a new web browser and go to '/login' endpoint.

The server detects that the '/login' endpoint is used to login using the Azure provider so redirects to 

 

https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/authorize

 

And the OAuth2 authentication Flow Starts.

 

OAuth2 Authentication

 

The user is redirected to the OAuth2 Server Authentication Endpoint, now he must login using the credentials and accept the terms of the OAuth2 Application.

 

If the authorization is successful, Azure AD sends a Code to the url

 

https://localhost/callback

 

Validate the OAuth2 Code

 

Now, the server has received a code from Azure and it will do an internal connection to Azure (from server to server) to validate this token is correct (and avoid someone is trying to hack the server).

 

The server connects to 

 

https://login.microsoftonline.com/a0ca2055-5dd1-467f-bf13-291f6fd715c6/oauth2/v2.0/token

 

Passing some paramenters like the code received and the clientsecret, if the validation is successful, Azure returns the Access Token that can be used to access the Azure Protected Resources like read the profile, email...

 

Successful Access Token

 

When the server receives a success full AccessToken, the event OnOAuth2ProviderTokenValid is called, so here you can configure how the AccessToken is stored (if it is) accessing to the parameter class TsgcHTTPOAuth2ProviderToken

 

AccesToken: is the OAuth2 Token returned by Azure

ID: is the public identifier stored as a cookie.

 

In this event you can configure what to do after a successful authentication, example: if you want to redirect the user to the private url, use the following

 

Response.Redirect.URL := 'https://localhost/private';

 

Send Requests to Azure

 

Now, you can send requests to the Azure server using the Public ID stored as a cookie.

Example: if you want to read the profile data, use the following method.

 

Get('ID', 'https://graph.microsoft.com/v1.0/me');

 

Where ID is the public ID identifier.