OAuth1a authorization feature implementation (#28)

* OAuth1a authorization feature implementation

* Updated docs

* Update src/Umbraco.AuthorizedServices/Controllers/AuthorizedServiceResponseController.cs

Co-authored-by: Andy Butland <[email protected]>

* OAuth1 refactoring and usings.

* Add OAuth1 unit tests

* Update OAuth1 generate request token flow.

* Added details of callback URLs to readme.

* Refactored method names.
Removed a custom cache class and used Umbraco's runtime cache.
Fixed issues with migrations.
Added a migration to rename the original table name now that we have different types of tokens.
Removed an unused method from IAuthorizedRequestBuilder.
Aligned use of cache for tokens for OAuth1 with OAuth2.
Bumped version to 0.3.

* Update callback URLs

* OAuth1 request access token flow updates

* Removed unused method and refactored creation of request message for the different authentication methods.

* Refactored controller method names.

* Removed UseRequestTokenWithExtendedParametersList and used extended list for all OAuth1 requests.

* Updated test web app settings.

* Updated tests.

---------

Co-authored-by: Andy Butland <[email protected]>

Author: acoumb

README.md

@@ -45,11 +45,15 @@ Install-Package Umbraco.AuthorizedServices
 dotnet add package Umbraco.AuthorizedServices
 ```
 
-
 ### App Creation
 
 Services that this package are intended to support will offer an OAuth authentication and authorization flow against an "app" that the developer will need to create with the service.  From this various information will be available, including for example a "client ID" and "client secret" that will need to be applied in configuration.
 
+When creating the app it will usually be necessary to configure a call back URL. You should use the following:
+
+- For OAuth2: `/umbraco/api/AuthorizedServiceResponse/HandleOAuth2IdentityResponse`
+- For OAuth1: `/umbraco/api/AuthorizedServiceResponse/HandleOAuth1IdentityResponse`
+
 ### Configuring a Service
 
 Details of services available need to be applied to the Umbraco web application's configuration, which, if using the `appSettings.json` file, will look as follows. Other sources such as environment variables can also be used, as per standard .NET configuration.
@@ -149,7 +153,7 @@ An enum value that defines the JSON serializer to use when creating requests and
 
 ###### AuthorizationRequestRequiresAuthorizationHeaderWithBasicToken
 
-This flag indicates whether the basic token should be included in the request for access token. If true, a base64 encoding of <clientId>:<clientSecret> will be added to 
+This flag indicates whether the basic token should be included in the request for access token. If true, a base64 encoding of <clientId>:<clientSecret> will be added to
 the authorization header.
 
 ###### ClientId *

examples/Umbraco.AuthorizedServices.TestSite/Controllers/TestAuthorizedServicesController.cs

@@ -135,12 +135,23 @@ public IActionResult GetApiKey(string serviceAlias)
 
     public IActionResult GetAccessToken(string serviceAlias)
     {
-        var response = _authorizedServiceCaller.GetToken(serviceAlias);
+        var response = _authorizedServiceCaller.GetOAuth2AccessToken(serviceAlias);
         if (response == null)
         {
             return Problem("Could not retrieve access token.");
         }
 
         return Content(response);
     }
+
+    public IActionResult GetOAuth1OAuthToken(string serviceAlias)
+    {
+        var response = _authorizedServiceCaller.GetOAuth1Token(serviceAlias);
+        if (response == null)
+        {
+            return Problem("Could not retrieve the OAuth token.");
+        }
+
+        return Content(response);
+    }
 }

examples/Umbraco.AuthorizedServices.TestSite/appsettings.json

@@ -154,8 +154,9 @@
           "Scopes": "r_emailaddress r_liteprofile w_member_social",
           "SampleRequest": "/v2/me"
         },
-        "twitter": {
-          "DisplayName": "Twitter",
+        "twitter-oauth2": {
+          "DisplayName": "Twitter OAuth2",
+          "AuthenticationMethod": "OAuth2Code",
           "ApiHost": "https://api.twitter.com",
           "IdentityHost": "https://twitter.com",
           "TokenHost": "https://api.twitter.com",
@@ -169,6 +170,38 @@
           "Scopes": "offline.access tweet.read users.read",
           "SampleRequest": "/2/users/me"
         },
+        "twitter": {
+          "DisplayName": "Twitter",
+          "AuthenticationMethod": "OAuth1",
+          "ApiHost": "https://api.twitter.com",
+          "IdentityHost": "https://api.twitter.com",
+          "TokenHost": "https://api.twitter.com",
+          "RequestIdentityPath": "/oauth/authorize",
+          "RequestTokenPath": "/oauth/access_token",
+          "RequestTokenFormat": "FormUrlEncoded",
+          "RequestAuthorizationPath": "/oauth/request_token",
+          "AuthorizationUrlRequiresRedirectUrl": false,
+          "ClientId": "",
+          "ClientSecret": "",
+          "Scopes": "",
+          "SampleRequest": "/1.1/account/settings.json"
+        },
+        "flickr": {
+          "DisplayName": "Flickr",
+          "AuthenticationMethod": "OAuth1",
+          "ApiHost": "https://www.flickr.com/services",
+          "IdentityHost": "https://www.flickr.com/services",
+          "TokenHost": "https://www.flickr.com/services",
+          "RequestAuthorizationPath": "/oauth/request_token",
+          "RequestIdentityPath": "/oauth/authorize",
+          "RequestTokenPath": "/oauth/access_token",
+          "RequestTokenFormat": "Querystring",
+          "AuthorizationUrlRequiresRedirectUrl": true,
+          "ClientId": "",
+          "ClientSecret": "",
+          "Scopes": "",
+          "SampleRequest": "/rest?nojsoncallback=1&format=json&method=flickr.test.login"
+        },
         "facebook": {
           "DisplayName": "Facebook",
           "ApiHost": "https://graph.facebook.com",

src/Umbraco.AuthorizedServices/AuthorizedServicesComposer.cs

@@ -1,6 +1,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Umbraco.AuthorizedServices.Configuration;
 using Umbraco.AuthorizedServices.Manifests;
+using Umbraco.AuthorizedServices.Models;
 using Umbraco.AuthorizedServices.Services;
 using Umbraco.AuthorizedServices.Services.Implement;
 using Umbraco.Cms.Core.Composing;
@@ -51,15 +52,17 @@ private static void RegisterServices(IUmbracoBuilder builder)
         builder.Services.AddUnique<IDateTimeProvider, DateTimeProvider>();
         builder.Services.AddUnique<IRefreshTokenParametersBuilder, RefreshTokenParametersBuilder>();
 
-        builder.Services.AddUnique<IAuthorizationPayloadCache, AuthorizationPayloadCache>();
         builder.Services.AddUnique<IAuthorizationPayloadBuilder, AuthorizationPayloadBuilder>();
 
         builder.Services.AddUnique<ISecretEncryptor, DataProtectionSecretEncryptor>();
 
         builder.Services.AddUnique<ITokenFactory, TokenFactory>();
-        builder.Services.AddUnique<ITokenStorage, DatabaseTokenStorage>();
+        builder.Services.AddUnique<IOAuth2TokenStorage, DatabaseOAuth2TokenStorage>();
+        builder.Services.AddUnique<IOAuth1TokenStorage, DatabaseOAuth1TokenStorage>();
         builder.Services.AddUnique<IKeyStorage, DatabaseKeyStorage>();
 
         builder.Services.AddSingleton<JsonSerializerFactory>();
+
+        builder.Services.AddHttpContextAccessor();
     }
 }

src/Umbraco.AuthorizedServices/ClientApp/src/backoffice/AuthorizedServices/edit.controller.ts

@@ -12,24 +12,36 @@ function AuthorizedServiceEditController(this: any, $routeParams, $location, aut
         vm.displayName = serviceData.displayName;
         vm.headerName = "Authorized Services: " + vm.displayName;
         vm.isAuthorized = serviceData.isAuthorized;
-        vm.authenticationMethod = serviceData.authenticationMethod;
         vm.canManuallyProvideToken = serviceData.canManuallyProvideToken;
         vm.canManuallyProvideApiKey = serviceData.canManuallyProvideApiKey;
         vm.authorizationUrl = serviceData.authorizationUrl;
         vm.sampleRequest = serviceData.sampleRequest;
         vm.sampleRequestResponse = null;
         vm.settings = serviceData.settings;
-        vm.isOAuthBasedAuthenticationMethod = serviceData.authenticationMethod !== AuthenticationMethod.ApiKey;
+
+        vm.authenticationMethod = {
+          isOAuth1: serviceData.authenticationMethod === AuthenticationMethod.OAuth1,
+          isOAuth2AuthorizationCode: serviceData.authenticationMethod === AuthenticationMethod.OAuth2AuthorizationCode,
+          isOAuth2ClientCredentials: serviceData.authenticationMethod === AuthenticationMethod.OAuth2ClientCredentials,
+          isApiKey: serviceData.authenticationMethod === AuthenticationMethod.ApiKey
+        };
+      }, function (ex) {
+        notificationsService.error("Authorized Services", ex.data.ExceptionMessage);
       });
   }
 
   vm.authorizeAccess = function () {
-    if (vm.authenticationMethod.toString() === AuthenticationMethod.OAuth2ClientCredentials.toString()) {
-      authorizedServiceResource.generateToken(serviceAlias)
+    if (vm.authenticationMethod.isOAuth2ClientCredentials) {
+      authorizedServiceResource.generateOAuth2ClientCredentialsToken(serviceAlias)
         .then(function () {
           notificationsService.success("Authorized Services", "The '" + vm.displayName + "' service has been authorized.");
           loadServiceDetails(serviceAlias);
         });
+    } if (vm.authenticationMethod.isOAuth1) {
+      authorizedServiceResource.generateOAuth1RequestToken(serviceAlias)
+        .then(function (response) {
+          location.href = response.data.message;
+        });
     }
     else {
       location.href = vm.authorizationUrl;
@@ -46,7 +58,7 @@ function AuthorizedServiceEditController(this: any, $routeParams, $location, aut
 
   vm.sendSampleRequest = function () {
     vm.sampleRequestResponse = null;
-    authorizedServiceResource.sendSampleRequest(serviceAlias, vm.sampleRequest)
+    authorizedServiceResource.sendSampleRequest(serviceAlias)
       .then(function (response) {
         vm.sampleRequestResponse = "Request: " + vm.sampleRequest + "\r\nResponse: " + JSON.stringify(response.data, null, 2);
       })
@@ -55,11 +67,11 @@ function AuthorizedServiceEditController(this: any, $routeParams, $location, aut
       });
   };
 
-  vm.saveAccessToken = function () {
+  vm.saveOAuth2AccessToken = function () {
     let inAccessToken = <HTMLInputElement>document.getElementById("inAccessToken");
 
     if (inAccessToken) {
-      authorizedServiceResource.saveToken(serviceAlias, inAccessToken.value)
+      authorizedServiceResource.saveOAuth2Token(serviceAlias, inAccessToken.value)
         .then(function () {
           notificationsService.success("Authorized Services", "The '" + vm.displayName + "' service access token has been saved.");
           inAccessToken.value = "";
@@ -68,6 +80,21 @@ function AuthorizedServiceEditController(this: any, $routeParams, $location, aut
     }
   }
 
+  vm.saveOAuth1TokenDetails = function () {
+    let inAccessToken = <HTMLInputElement>document.getElementById("inAccessToken");
+    let inTokenSecret = <HTMLInputElement>document.getElementById("inTokenSecret");
+
+    if (inAccessToken && inTokenSecret) {
+      authorizedServiceResource.saveOAuth1Token(serviceAlias, inAccessToken.value, inTokenSecret.value)
+        .then(function () {
+          notificationsService.success("Authorized Services", "The '" + vm.displayName + "' service access token and token secret have been saved.");
+          inAccessToken.value = "";
+          inTokenSecret.value = "";
+          loadServiceDetails(serviceAlias);
+        });
+    }
+  }
+
   vm.saveApiKey = function () {
     let inApiKey = <HTMLInputElement>document.getElementById("inApiKey");
 

src/Umbraco.AuthorizedServices/ClientApp/src/backoffice/AuthorizedServices/edit.html

@@ -24,8 +24,7 @@
                             action="vm.sendSampleRequest()"
                             type="button"
                             label="Verify Sample Request"></umb-button>
-                <umb-button ng-if="vm.isOAuthBasedAuthenticationMethod
-                            || (!vm.isOAuthBasedAuthenticationMethod && vm.canManuallyProvideApiKey)"
+                <umb-button ng-if="vm.authenticationMethod.isOAuth1 || vm.authenticationMethod.isOAuth2AuthorizationCode || vm.authenticationMethod.isOAuth2ClientCredentials"
                             action="vm.revokeAccess()"
                             type="button"
                             button-style="danger"
@@ -48,8 +47,39 @@
           </uui-icon-registry-essential>
         </umb-box-content>
       </umb-box>
-      <!-- Provide Token Section -->
-      <umb-box ng-if="vm.canManuallyProvideToken">
+      <!-- Provide OAuth1 Token Section -->
+      <umb-box ng-if="vm.canManuallyProvideToken && vm.authenticationMethod.isOAuth1">
+        <umb-box-header title="Provide OAuth1 Access Token and Token Secret"></umb-box-header>
+        <umb-box-content>
+          <uui-icon-registry-essential>
+            <uui-card-content-node name="OAuth1 Access Token and Token Secret">
+              <uui-icon slot="icon" name="add"></uui-icon>
+              <p class="auth-srv">Enter service access token and token secret</p>
+              <p>This service is configured indicating that an access token and a token secret can be generated via the service's developer portal. Once you have obtained them you can copy and paste them here to authorize the service.</p>
+              <div>
+                <uui-form>
+                  <uui-form-layout-item class="oauth-form-item">
+                    <uui-label for="inAccessToken" slot="label">Access Token</uui-label>
+                    <uui-input id="inAccessToken" name="access_token" type="text" label="Access Token"></uui-input>
+                  </uui-form-layout-item>
+                  <uui-form-layout-item class="oauth-form-item">
+                    <uui-label for="inTokenSecret" slot="label">Token Secret</uui-label>
+                    <uui-input id="inTokenSecret" name="token_secret" type="text" label="Token Secret"></uui-input>
+                  </uui-form-layout-item>
+                  <div>
+                    <umb-button action="vm.saveOAuth1TokenDetails()"
+                                type="button"
+                                button-style="primary"
+                                label="Save"></umb-button>
+                  </div>
+                </uui-form>
+              </div>
+            </uui-card-content-node>
+          </uui-icon-registry-essential>
+        </umb-box-content>
+      </umb-box>
+      <!-- Provide OAuth2 Token Section -->
+      <umb-box ng-if="vm.canManuallyProvideToken && (vm.authenticationMethod.isOAuth2AuthorizationCode || vm.authenticationMethod.isOAuth2ClientCredentials)">
         <umb-box-header title="Provide Token"></umb-box-header>
         <umb-box-content>
           <uui-icon-registry-essential>
@@ -58,18 +88,25 @@
               <p class="auth-srv">Enter service access token</p>
               <p>This service is configured indicating that a token can be generated via the service's developer portal. Once you have obtained one you can copy and paste it here to authorize the service.</p>
               <div>
-                <uui-input id="inAccessToken" type="text" name="inAccessToken" style="width: 40%;font-size:14px;"></uui-input>
-                <umb-button action="vm.saveAccessToken()"
-                            type="button"
-                            button-style="primary"
-                            label="Save"></umb-button>
+                <uui-form>
+                  <uui-form-layout-item class="oauth-form-item">
+                    <uui-label for="inAccessToken" slot="label">Access Token</uui-label>
+                    <uui-input id="inAccessToken" name="access_token" type="text" label="Access Token"></uui-input>
+                  </uui-form-layout-item>
+                  <div>
+                    <umb-button action="vm.saveOAuth2AccessToken()"
+                                type="button"
+                                button-style="primary"
+                                label="Save"></umb-button>
+                  </div>
+                </uui-form>
               </div>
             </uui-card-content-node>
           </uui-icon-registry-essential>
         </umb-box-content>
       </umb-box>
       <!-- Provide Key Section -->
-      <umb-box ng-if="vm.canManuallyProvideApiKey">
+      <umb-box ng-if="vm.canManuallyProvideApiKey && vm.authenticationMethod.isApiKey">
         <umb-box-header title="Provide API key"></umb-box-header>
         <umb-box-content>
           <uui-icon-registry-essential>
@@ -81,11 +118,18 @@
                 Once you have obtained one you can copy and paste it here to authorize the service.
               </p>
               <div>
-                <uui-input id="inApiKey" type="text" name="inApiKey" style="width: 40%;font-size:14px;"></uui-input>
-                <umb-button action="vm.saveApiKey()"
-                            type="button"
-                            button-style="primary"
-                            label="Save"></umb-button>
+                <uui-form>
+                  <uui-form-layout-item class="oauth-form-item">
+                    <uui-label for="inApiKey" slot="label">Api Key</uui-label>
+                    <uui-input id="inApiKey" name="access_token" type="text" label="Api Key"></uui-input>
+                  </uui-form-layout-item>
+                  <div>
+                    <umb-button action="vm.saveApiKey()"
+                                type="button"
+                                button-style="primary"
+                                label="Save"></umb-button>
+                  </div>
+                </uui-form>
               </div>
             </uui-card-content-node>
           </uui-icon-registry-essential>

src/Umbraco.AuthorizedServices/ClientApp/src/css/style.css

@@ -32,3 +32,12 @@
   padding: 4px 8px;
 }
 
+.oauth-form-item uui-label {
+    font-size: 14px;
+}
+
+.oauth-form-item uui-input {
+    font-size: 14px;
+    width: 40%;
+}
+

src/Umbraco.AuthorizedServices/ClientApp/src/resources/authorizedservice.resource.ts

@@ -7,21 +7,26 @@ function authorizedServiceResource($q, $http) {
     getByAlias: function (alias: string) {
       return $http.get(apiRoot + "GetByAlias?alias=" + alias);
     },
-
-    sendSampleRequest: function (alias: string, path: string) {
-      return $http.get(apiRoot + "SendSampleRequest?alias=" + alias + "&path=" + path);
+    sendSampleRequest: function (alias: string) {
+      return $http.get(apiRoot + "SendSampleRequest?alias=" + alias);
     },
     revokeAccess: function (alias: string) {
       return $http.post(apiRoot + "RevokeAccess", { alias: alias });
     },
-    saveToken: function (alias: string, token: string) {
-      return $http.post(apiRoot + "SaveToken", { alias: alias, token: token });
+    saveOAuth2Token: function (alias: string, token: string) {
+      return $http.post(apiRoot + "SaveOAuth2Token", { alias: alias, token: token });
+    },
+    saveOAuth1Token: function (alias: string, token: string, tokenSecret: string) {
+      return $http.post(apiRoot + "SaveOAuth1Token", { alias: alias, token: token, tokenSecret: tokenSecret });
     },
     saveApiKey: function (alias: string, apiKey: string) {
       return $http.post(apiRoot + "SaveApiKey", { alias: alias, apiKey: apiKey });
     },
-    generateToken: function (alias: string) {
-      return $http.post(apiRoot + "GenerateToken", { alias: alias });
+    generateOAuth2ClientCredentialsToken: function (alias: string) {
+      return $http.post(apiRoot + "GenerateOAuth2ClientCredentialsToken", { alias: alias });
+    },
+    generateOAuth1RequestToken: function (alias: string) {
+      return $http.post(apiRoot + "GenerateOAuth1RequestToken", { alias: alias});
     }
   };
 }

src/Umbraco.AuthorizedServices/Configuration/AuthorizedServiceSettings.cs

@@ -163,6 +163,11 @@ public class ServiceDetail : ServiceSummary
     /// </summary>
     public bool CanManuallyProvideApiKey { get; set; }
 
+    /// <summary>
+    /// Gets or sets the path for requests for obtaining authorization for a user in OAuth1 flows.
+    /// </summary>
+    public string RequestAuthorizationPath { get; set; } = string.Empty;
+
     /// <summary>
     /// Gets or sets the path for requests for authentication with the service.
     /// </summary>
@@ -178,6 +183,11 @@ public class ServiceDetail : ServiceSummary
     /// </summary>
     public string RequestTokenPath { get; set; } = string.Empty;
 
+    /// <summary>
+    /// Gets or sets the HTTP method used to retrieve the access token.
+    /// </summary>
+    public HttpMethod RequestTokenMethod { get; set; } = HttpMethod.Post;
+
     /// <summary>
     /// Gets or sets the format to use for encoding the request for a token.
     /// </summary>