Archived Forum Post

Index of archived forum posts

Question:

2-legged CkOAuth2

Sep 21 '17 at 06:21

Is a 2-legged CkOAuth2 authorization already supported? I only found 3-legged CkOAuth2 doc and samples.


Accepted Answer

2-legged OAuth2 is a name for the following general sequence of events:

  1. The app sends an HTTP request with a secret of some sort, and the server responds with an access token.
  2. The access token is used as the credential in the web API requests.

The exact specifics of these 2 steps can vary. When you want to implement 2-legged OAuth2, you don't necessarily look for a "2-legged OAuth2 implementation". You want to instead look at the specifics of the steps and then solve each of those smaller problems. In this case, it's easy.

In this case, Step 1 is this:

Authorization Request:

POST /oauth/token HTTP/1.1 Authorization: ** HTTP basic authentication with client_id and client_secret ** Content-Type: application/x-www-form-urlencoded; charset=utf-8 Host: auth.weather.mg Connection: close

grant_type=client_credentials

Authorization Response:

HTTP/1.1 200 Cache-Control: no-store Pragma: no-cache Content-Type: application/json;charset=UTF-8 Connection: close { "access_token": "JWT_ACCESS_TOKEN", "token_type": "bearer", "expires_in": 3600, "scope": "space separated list of allowed scopes", "domain": "meteogroup", "jti": "id of JWT_ACCESS_TOKEN" }

So this is easy. It's just a matter of sending a POST with Basic Authentication with a URL encoded parameter in the body of the POST. Using Chilkat's CkHttp class, this is what you do (in pseudo-code, applicable in any supported programming language where the syntax and naming might be different)
Http http;
http.Login = "myUsername";
http.Password = "myPassword";
http.BasicAuth = true;
HttpRequest req;
req.AddParam("grant_type","client_credentials");
HttpResponse resp = http.PostUrlEncoded("https://auth.weather.mg//oauth/token",req);
string jsonResponse = resp.BodyStr;
Now you have the JSON response and you can parse out the access token and other fields using Chilkat's JsonObject class or any other JSON API.

Step 2 is to send the access token in an Authorization header in web API requests:

GET /observation?location=53,13 HTTP/1.1
Authorization: Bearer JWT_ACCESS_TOKEN
Host: api.weather.mg
Connection: close

If using Chilkat Http, just set the http.AuthToken property equal to the JWT_ACCESS_TOKEN. This adds the "Authorization: Bearer JWT_ACCESS_TOKEN" header field to the request header. That's all..


Answer

The CkAuthGoogle class (or Chilkat.AuthGoogle in C# and other languages) implements 2-legged OAuth2 for service accounts.

If you need 2-legged OAuth2 for something else, then first check and make sure you're not really needing OAuth1, which is technically "2-legged", and Chilkat provides an OAuth1 class.

If you need 2-legged OAuth2 for something else (some other web API), then let us know what it is. OAuth1 is onerous for the application developer because it requires difficult cryptographic computations and canonicalizations to be performed. OAuth2 however, does not require this sort of thing. (3-legged OAuth2 is a pain-in-the-arse for non-web apps because of the required human interaction w/ the account owner through a browser) But 2-legged OAuth2 should simply be a matter of sending the credentials in some form to the server and getting the response containing the access token. The reason for the CkAuthGoogle class is mostly to provide help in dealing with the JSON private key, or the PCKS12 (.p12 or .pfx) container holding the private key.


Answer

Thanks for your explanation. I need 2-legged OAuth2 for the Weather-API in a native C++/C# Windows application (see also https://github.com/MeteoGroup/weather-api/blob/master/authorization/Authentication.md).


Answer

I updated the above post because I forgot to add the line "http.BasicAuth = true".

Also.. ALWAYS make sure to use SSL/TLS with any HTTP request using Basic authentication. Otherwise your login/password is out in the open for anybody to see. This means the URL you pass to PostUrlEncoded must begin as "https://" and NOT "http://".


Answer

Thanks for your comments. The '2-legged' basic authentication works in a jiffy.