This component provides the OAuth2 protocol implementation in Server Side Components.
The server components have a property called Authorization.OAuth.OAuth2 where you can assign an instance of TsgcHTTP_OAuth2_Server, so if Authentication is enabled and OAuh2 property is attached to OAuth2 Server Component, the WebSocket and HTTP Requests require a Bearer Token to be processed, if not the connection will be closed automatically.
OAuth2 := TsgcHTTP_OAuth2_Server.Create(nil);
Server.Authentication.Enabled := True;
Server.Authentication.OAuth.OAuth2 := OAuth2;By default, the component is configured with the following endpoints to handle Authorization and Token request
Authorization: /sgc/oauth2/auth
Token: /sgc/oauth2/token
So if server is listening on port 443 and domain is www.esegece.com, the EndPoints will be:
Authorization: https://www.esegece.com/sgc/oauth2/auth
Token: https://www.esegece.com/sgc/oauth2/token
The endpoints can be configured in OAuth2Options property.
By default, PKCE (is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks) is enabled.
Before you can begin the OAuth2 process, you must register which Apps will be available, this is done using Apps property of OAuth2 server component.
Use Apps.AddApp to add a new Application to OAuth2 server, you must set the following parameters:
Optionally you can set the following parameters:
Use Apps.RemoveApp to delete an existing App.
If the server has been restarted while there were some token issued, you can recover these tokens using the method AddToken before starting the OAuth2 Server and after registering the Apps
Removes an already issued Token.
While OAuth2 is enabled on Server-side, if a websocket client tries to connect without providing a valid Token, the connection will be closed automatically. The same applies to HTTP requests.
TsgcWebSocketClient can be configured to request a OAuth2 token and sent when connects to server. You have 2 options in order to send a Bearer Token:
1. Use Authentication.Token property, this is usefull when you have a valid token obtained from an external third-party and you only want to pass as a connection header to get Access to server.
Authorization.Enabled := True;
Authorization.Token.Enabled := True;
Authorization.Token.AuthName := 'Bearer';
Authorization.Token.AuthToken := 'your token here';2. Attach a TsgcHTTP_OAuth2_Client and let the client request an Access Token and send it automatically when websocket client connects to server.
Some events are provided to handle the OAuth2 Flow Control.
This event is called when a new HTTP connection is established with server and before checks if the connection request is trying to do an Authorization or request a new token. If you don't need that this request is processed by OAuth2 server, set Cancel parameter to true.
The event is called too when checks if the Token is valid.
The event is called before the Authorization web-page is showed to user, allows to customize the HTML code shown to user.
When a client request Authorization, server shows a page were user can allow connection and requires to login to server. This is the event where you can read the User/Password set by user and accept or not the connection.
After the server process successfully the Access Token, this event is called. Useful for log purposes.
After the server process successfully the Refresh Token, this event is called. Useful for log purposes.
When a client do a request with a Token, this token is processed by server to check if it's valid or not, if the token is valid and not expired, this event is called. Useful for log purposes.
This event is called before the connection is closed because there is no authorization token or is invalid, by default, the Disconnect parameter is true, you can set to false if you still want to accept the connection. This event can configure which endpoints must implement OAuth2 Authorization or not.