• Stars
    star
    217
  • Rank 182,417 (Top 4 %)
  • Language
    Erlang
  • License
    MIT License
  • Created over 12 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Erlang Oauth2 implementation

OAuth2 (v0.7.0) BuildStatus

This library is designed to simplify the implementation of the server side of OAuth2 (http://tools.ietf.org/html/rfc6749). It provides no support for developing clients. See oauth2_client for support in accessing Oauth2 enabled services.

oauth2 is released under the terms of the MIT license

Current stable version: 0.6.1

Current α alpha version: 0.7.x

copyright 2012-2015 Kivra

tl;dr

Examples

Check out the examples.

Related projects

Webmachine server implementation by Oauth2 contributor Ivan Martinez: oauth2_webmachine.

Redis backed Oauth2 backend.

Concepts

Tokens

A token is a (randomly generated) string provided to the client by the server in response to some form of authorization request. There are several types of tokens:

  • Access Token: An access token identifies the origin of a request for a privileged resource.
  • Refresh Token: A refresh token can be used to replace an expired access token.

Expiry

Access tokens can (optionally) be set to expire after a certain amount of time. An expired token cannot be used to gain access to resources.

Identities

A token is associated with an identity -- a value that uniquely identifies a user, client or agent within your system. Typically, this is a user identifier.

Scope

The scope is handled by the backend implementation. The specification outlines that the scope is a space delimetered set of parameters. This library has been developed with the following in mind.

Scope is implemented as a set and loosely modeled after the Solaris RBAC priviliges, i.e. solaris.x.* and implemented as a MAC with the ability to narrow the scope but not extend it beyond the predefined scope.

But since the scope is opaque to this Oauth2 implementation you can use the scoping strategy that best suit your workflow.

There is a utility module to work with scope. The recommendation is to pass a Scope as a list of binaries, i.e. [<<"root.a.c.b">>, <<"root.x.y.z">>] you can then validate these against another set like:

> oauth2_priv_set:is_subset(oauth2_priv_set:new([<<"root.a.b">>, <<"root.x.y">>]),
                            oauth2_priv_set:new([<<"root.*">>])).
true
> oauth2_priv_set:is_subset(oauth2_priv_set:new([<<"root.a.b">>, <<"root.x.y">>]),
                            oauth2_priv_set:new([<<"root.x.y">>])).
false
> oauth2_priv_set:is_subset(oauth2_priv_set:new([<<"root.a.b">>, <<"root.x.y">>]),
                            oauth2_priv_set:new([<<"root.a.*">>, <<"root.x.y">>])).
true

Clients

If you have many diverse clients connecting to your service -- for instance, a web client and an iPhone app -- it's desirable to be able to distinguish them from one another and to be able to grant or revoke privileges based on the type the client issuing a request. As described in the OAuth2 specification, clients come in two flavors:

  • Confidential clients, which can be expected to keep their credentials from being disclosed. For instance, a web site owned and operated by you could be regarded as confidential.
  • Public clients, whose credentials are assumed to be compromised the moment the client software is released to the public.

Clients are distinguished by their identifiers, and can (optionally) be authenticated using a secret key shared between the client and server.

Testing

If you want to run the EUnit test cases, you can do so with:

$ make ct

Customization

The library makes no assumptions as to how you want to implement authentication and persistence of users, clients and tokens. Instead, it provides a behavior (oauth2_backend) with functions that needs to be implemented. To direct calls to a different backend module, simply set {backend, your_backend_module} in the oauth2 section of your app.config.

Look at oauth2_mock_backend for how a backend can be implemented.

The following example demonstrates a basic app.config section for oauth2.

[
    {oauth2, [
        %% Default expiry_time for access_tokens unless
        %% overridden per flow
        {expiry_time, 3600}
        ,{backend, backend_goes_here}

        %% Optional expiry_time override per flow
        ,{password_credentials, [
            {expiry_time, 7200}
        ]}
        ,{client_credentials, [
            {expiry_time, 86400}
        ]}
        ,{refresh_token, [
            {expiry_time, 2592000} %% 30 Days
        ]}
        ,{code_grant, [
            %% Recommended absolute expiry time from the spec
            {expiry_time, 600}
        ]}
    ]}
].

A complete list of functions that your backend must provide is available by looking at oauth2_backend.erl, which contains documentation and function specifications.

To implement a custom token generation backend you can change your app.config as such:

[
    {oauth2, [
        {token_generation, YOUR_TOKEN_GENERATOR}
    ]}
].

The default token generator is called oauth2_token. To implement your own you should create your own module implementing the oauth2_token_generation behavior exporting one function generate/0.

More Repositories

1

restclient

Erlang Rest Client
Erlang
88
star
2

oauth2_client

Erlang OAuth2 Client
Erlang
71
star
3

giallo

Small and flexible web framework on top of Cowboy
Erlang
67
star
4

email

The Erlang Mail application or Email for short
Erlang
33
star
5

zerolog

Log transport that just works with zero effort.
JavaScript
31
star
6

oauth2_example

Example application for oauth2
Erlang
30
star
7

emagick

Wrapper for Graphics/ImageMagick command line tool.
Erlang
27
star
8

lager_loggly

Loggly backend for lager
Erlang
16
star
9

robotnik

Dr Robotnik web scraper robot factory
Erlang
15
star
10

jsonformat

A Erlang Logger Json Formatter - Structured Logging of Maps to JSON
Erlang
13
star
11

merlin

Erlang
12
star
12

giallo_session

Session Management for Giallo Web Framework
Erlang
10
star
13

money_laundry

💸 Erlang Currency and money laundering functions
Erlang
9
star
14

id_token

Erlang application to easily handle ID tokens
Erlang
9
star
15

mechanus_fsm

Mechanus FSM
Erlang
9
star
16

sftp_utils

Erlang SFTP Utils
Erlang
9
star
17

greph

Erlang port of Prismatic's graph package.
Erlang
8
star
18

developer.kivra.com

API Documentation, etc
HTML
7
star
19

fluentd-erlang

Fluentd Erlang Client
Erlang
6
star
20

ehtmltopdf

Erlang wrapper for converting HTML to PDF
Erlang
6
star
21

raven-erlang

Erlang
5
star
22

ews

Erlang Web Services
Erlang
4
star
23

krakend-correlationid

KrakenD middleware for adding Correlation IDs to incoming requests
Go
3
star
24

kivra-api-errors

Kivra API Errors
Erlang
3
star
25

krakend-urlrewrite

KrakenD middleware to rewrite URLs
Go
3
star
26

giallo_examples

Giallo example applications
Erlang
3
star
27

lager_backends

Custom backends for lager
Erlang
2
star
28

angular-popup-service

Library for handling popup boxes in angular
CSS
2
star
29

krakend-sizelimit

KrakenD middleware to limit the size of incoming requests
Go
2
star
30

opentracing-erlang

Opentracing API in Erlang
Erlang
1
star
31

krakend-metalog

KrakenD log formatter and logger middleware
Go
1
star
32

fingerprint_key_store_sample

Kotlin
1
star
33

krakend-shadowproxy

KrakenD middleware for mirroring of proxy (no-op) requests
Go
1
star
34

context

Erlang Standard Context
Erlang
1
star