OAuth2 | TsgcHTTP_OAuth2_Server

This component provides the OAuth2 protocol implementation in Server Side Components.

The server components have a property called Authorization.OAuth.OAuth2 where you can assign an instance of TsgcHTTP_OAuth2_Server, so if Authentication is enabled and OAuh2 property is attached to OAuth2 Server Component, the WebSocket and HTTP Requests require a Bearer Token to be processed, if not the connection will be closed automatically.


OAuth2 := TsgcHTTP_OAuth2_Server.Create(nil);
Server.Authentication.Enabled := True;
Server.Authentication.OAuth.OAuth2 := OAuth2;

The server supports the following authorization types:

auth2Code: It's used to perform authentication and authorization in the majority of application types, including single page applications, web applications, and natively installed applications. The flow enables apps to securely acquire access_tokens that can be used to access resources secured, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user.

auth2ClientCredentials: This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as daemons or service accounts.

The Authorization type can be customized when registering the App, by default, all authorization types are supported.

EndPoints

By default, the component is configured with the following endpoints to handle Authorization and Token request

Authorization: /sgc/oauth2/auth

Token: /sgc/oauth2/token

So if server is listening on port 443 and domain is www.esegece.com, the EndPoints will be:

Authorization: https://www.esegece.com/sgc/oauth2/auth

Token: https://www.esegece.com/sgc/oauth2/token

The endpoints can be configured in OAuth2Options property.

By default, PKCE (is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks) is enabled.

Configuration

Before you can begin the OAuth2 process, you must register which Apps will be available, this is done using Apps property of OAuth2 server component.

Register App

Use Apps.AddApp to add a new Application to OAuth2 server, you must set the following parameters:

App Name: is the name of the Application. Example: MyApp
RedirectURI: is where the responses will be redirected. Example: http://127.0.0.1:8080
ClientId: is public information and is the ID of the client.
ClientSecret: must be kept confidential.

Optionally you can set the following parameters:

ExpiresIn: by default is 3600 seconds, so the token will expire in 1 hour, you can set a greater value if you need.
RefreshToken: by default refresh tokens are supported, if not, set this parameter to false.
AllowedGrantTypes: by default all grant types are supported (auth2Code and auth2ClientCredentials), but the server can be configured to only allow Code Authorization or only Client Credentials.

Delete App

Use Apps.RemoveApp to delete an existing App.

AddToken

If the server has been restarted while there were some token issued, you can recover these tokens using the method AddToken before starting the OAuth2 Server and after registering the Apps

AppName: the name of the application.
Token: access token.
Expires: when the token expires.
RefreshToken: refresh token.

RemoveToken

Removes an already issued Token.

Most common uses

QuickStart

Authenticate
- OAuth2 Server Autentication
- OAuth2 None Authenticate some URLs

Connections

While OAuth2 is enabled on Server-side, if a websocket client tries to connect without providing a valid Token, the connection will be closed automatically. The same applies to HTTP requests.

TsgcWebSocketClient can be configured to request a OAuth2 token and sent when connects to server. You have 2 options in order to send a Bearer Token:

1. Use Authentication.Token property, this is usefull when you have a valid token obtained from an external third-party and you only want to pass as a connection header to get Access to server.


Authorization.Enabled := True;
Authorization.Token.Enabled := True;
Authorization.Token.AuthName := 'Bearer';
Authorization.Token.AuthToken := 'your token here';

2. Attach a TsgcHTTP_OAuth2_Client and let the client request an Access Token and send it automatically when websocket client connects to server.

Events

Some events are provided to handle the OAuth2 Flow Control.

OnOAuth2BeforeRequest

This event is called when a new HTTP connection is established with server and before checks if the connection request is trying to do an Authorization or request a new token. If you don't need that this request is processed by OAuth2 server, set Cancel parameter to true.

The event is called too when checks if the Token is valid.

OnOAuth2BeforeDispatchPage

The event is called before the Authorization web-page is showed to user, allows to customize the HTML code shown to user.

OnOAuth2Authentication

When a client request Authorization, server shows a page were user can allow connection and requires to login to server. This is the event where you can read the User/Password set by user and accept or not the connection.

OnOAuth2AfterAccessToken

After the server process successfully the Access Token, this event is called. Useful for log purposes.

OnOAuth2AfterRefreshToken

After the server process successfully the Refresh Token, this event is called. Useful for log purposes.

OnOAuth2AfterValidateAccessToken

When a client do a request with a Token, this token is processed by server to check if it's valid or not, if the token is valid and not expired, this event is called. Useful for log purposes.

OnOAuth2Unauthorized

This event is called before the connection is closed because there is no authorization token or is invalid, by default, the Disconnect parameter is true, you can set to false if you still want to accept the connection. This event can configure which endpoints must implement OAuth2 Authorization or not.