« Back

What about OAuth?

Staff Blogs April 19, 2013 By Igor Beslic Staff

Hi all, I'll share with you our latest progress made with supporting OAuth authorized requests. I'll make example with android application since I'm familiar with it (enough to display button).

OAuth server support comes as OAuth 1.0a spec based portlet plugin with application registration UI, user authorization approval and secure filter that checks validity of oauth credentials (thank you Tomas for the filter, and Ivica for all hours we spent together). OAuth is very pratical since it moves authentication actions to platform side (Liferay Portal), and application doesn't need handle security issues regarding credentials storing. If you are application developer, and want your application to access Liferay portal resources this could be a way to do it:

1. Go to OAuth admin

2. Register application

3. Get yours consumer key and secret

Now... You should take an OAuth api (scribe or signpost) and make your consumer application. My application is simple android application whic would do nothing awesome, but will make authorized document library access:

- make oauth request token and bring user to Liferay portal application authorization page. If user is not signed in, he/she would be asked to do it.

 

- Once user is signed in authorization page will be shown. After user confirms he/she grants access to her/his liferay resources Liferay redirects user to defined redirect URL (not clear from screenshots, but as a redirect I'm using my-application://www.liferay.com/something so that android browser knows where to pass redirect).

- user acces token and token secret are being stord in application properties, an I'm able to query portal (I'll grab some folders and display it):

So what do you think?

I used this links to assembly android application:

Threaded Replies Author Date
HI Igor! Looks really great! It is part of 6.2... Alexey Kakunin April 19, 2013 7:48 AM
Hi Alexey! Great to hear you. It is available... Igor Beslic April 20, 2013 1:18 AM
Hi, where can i find this plugin? is it in... Charly Wu May 8, 2013 3:23 AM
Hi Charly, I'm not sure about exact date, but... Igor Beslic June 21, 2013 1:21 AM
Great feature Igor, looking forward to using... Stian Sigvartsen April 21, 2013 3:15 AM
Hi Stian, I try to answer the SOAP question -... Tomas Polesovsky April 22, 2013 1:40 AM
Hi Igor, Veru usefull and appropriate to our... Corné Aussems April 21, 2013 11:42 PM
Is the actual version of the plugin or its... Laszlo Miklosik April 22, 2013 1:04 AM
Hi Laszlo, regarding to plugin, it implements... Ivica Cardic April 22, 2013 1:55 AM
Hi Laszlo, I'm not sure, I think... Igor Beslic April 22, 2013 2:01 AM
Great feature Igor. Can you please let me know... Tina Agrawal October 1, 2013 6:34 AM
Hi Tina, example shown fetches portal data... Igor Beslic October 1, 2013 8:15 AM
Thanks Igor. Will definitely try using it. Tina Agrawal October 1, 2013 8:28 AM
Hi Igor, I am not able to find this in 6.1 GA2... Tina Agrawal December 4, 2013 2:22 AM
Hi Igor, I am not able to find this in 6.1 GA2... Tina Agrawal December 4, 2013 2:22 AM
Hi Igor, I couldn't find such implementation... Gaurav Jain October 9, 2013 2:52 AM
[...] Ben Brown of South Worcestershire Shared... Anonymous October 16, 2013 3:19 PM
Hi Igor, From where i can download oAuth... devaki s December 4, 2013 3:23 AM
Hi, Can this be used when Liferay is acting as... Sameer Naik February 4, 2014 9:29 PM

HI Igor! Looks really great! It is part of 6.2 - or this functionality will be available for 6.1 as plugin as well?
Posted on 4/19/13 7:48 AM.
Hi Alexey! Great to hear you.
It is available as plugin for 6.1 but after we finish all reviews and tests we will make it ready for 6.2.
Posted on 4/20/13 1:18 AM in reply to Alexey Kakunin.
Great feature Igor, looking forward to using it! Will this be available for the SOAP services as well? Any chance of getting access to a pre-release build / source (6.1 compatible) so I can have a go at integration Orbeon forms with permission controlled Liferay assets using this?
Posted on 4/21/13 3:15 AM.
Hi Igor,
Veru usefull and appropriate to our endeavours to secure mobile connections.
Thanks
Posted on 4/21/13 11:42 PM.
Is the actual version of the plugin or its sources available to the community? (I could not find them on the Liferay github repo's liferay-plugins directory).

Do you also plan to implement OAuth 2.0 Provider support?

From what I see OAuth 1.0.a consumer support is already built into Liferay's core (in class com.liferay.portal.oauth.OAuthManagerImpl) and it uses the scribe OAuth client library.

Is your OAuth 1.0.a Service Provider implementation relying on any of the available OAuth server side libraries (e.g. Spring Security)?

We also need OAuth support asap in one of our Liferay deployments and would like to implement a solution which is in-line with Liferay's roadmap regarding OAuth.

Thanks
Posted on 4/22/13 1:04 AM.
Hi Stian, I try to answer the SOAP question - the default configuration of OAuth authentication filter doesn't include SOAP services. Anyway, the filter is extensible enough to be used with any servlet => Yes, SOAP should work.
Posted on 4/22/13 1:40 AM in reply to Stian Sigvartsen.
Hi Laszlo,
regarding to plugin, it implements provider support so you can use Liferay as an oauth provider.
We used source from http://oauth.googlecode.com/svn/code/java/core/ as our base and then we added all additional needed stuff.
Regarding to OAuth 2.0, we will probably make implementation but I can't tell you when because the spec is finished recently, there are some implementations but thy are still immature.

For now the plugin should be available only for ee versions.

Best Regards
Posted on 4/22/13 1:55 AM in reply to Laszlo Miklosik.
Hi Laszlo, I'm not sure, I think com.liferay.portal.oauth.OAuthManagerImpl provides client access to OAuth provider for some core portlets. Only official OAuth provider implementation is this one.
Posted on 4/22/13 2:01 AM in reply to Laszlo Miklosik.
Hi,
where can i find this plugin? is it in marketplace?
Posted on 5/8/13 3:23 AM in reply to Igor Beslic.
Hi Charly, I'm not sure about exact date, but plugin will be available via market place.
Posted on 6/21/13 1:21 AM in reply to Charly Wu.
Great feature Igor. Can you please let me know how you are getting the Portal Data? Which API we need to call? Are these the SOAP Services that get called? And where can we download this portlet from?
Posted on 10/1/13 6:34 AM.
Hi Tina, example shown fetches portal data using JSON WS.
Available services could be examined if you refer path /api/jsonws at your portal instance. If you are at local host it should look like:
http://localhost:8080/api/jsonws

Developer documentation: https://www.liferay.com/documentation/liferay-portal/6.1/development/-/ai/json-w­eb-services
Wiki: https://www.liferay.com/community/wiki/-/wiki/Main/JSON+Web+Services

Portlet is available for Enterprise Edition only since 6.1 GA2
Posted on 10/1/13 8:15 AM in reply to Tina Agrawal.
Thanks Igor. Will definitely try using it.
Posted on 10/1/13 8:28 AM in reply to Igor Beslic.
Hi Igor,

I couldn't find such implementation in 6.2.0 CE RC3 release.

Is this not yet available there?
Posted on 10/9/13 2:52 AM.
[...] Ben Brown of South Worcestershire Shared ICT Service was present and gave a talk about how they are  hosting Liferay Portal using the Jelastic cloud. At some point I would really like to explore... [...] Read More
Posted on 10/16/13 3:19 PM.
Hi Igor, I am not able to find this in 6.1 GA2 Marketplace. Where can I download this from?
Posted on 12/4/13 2:22 AM in reply to Igor Beslic.
Hi Igor, I am not able to find this in 6.1 GA2 Marketplace. Where can I download this from?
Posted on 12/4/13 2:22 AM in reply to Igor Beslic.
Hi Igor,

From where i can download oAuth plugin? I am not seeing it in market place.
Posted on 12/4/13 3:23 AM.
Hi,

Can this be used when Liferay is acting as SAML2 IdP?
Posted on 2/4/14 9:29 PM.