Questions about plans for OAuth 2 support in RESTWS

Hi @burke and @harsha89

I am sorry I couldn’t reply sooner as I am in the middle of my final exams. Thanks Harsha for the answers :slight_smile: I would like to add my thoughts to @harsha89’s points :slight_smile:

Yes, the module will provide a granting page for the Authorization Grant Type and Implicit Grant Type. The grant page will look like :

Step 1 - user authentication:

Step 2 - user granting authorization to third party application:

Yes, A new table will be created in the database using the user_id as foreign key. It will maintain a list of authorized apps for every user (Many to Many relationship, A user can have many authorized apps and an app can be used by many users). It will be possible for users to revoke authorization at any time.

Step 1:

Step 2:

Thanks for bringing this up. I agree with what @harsha89 said, I will try to fix these. An alternate approach would be to provide a separate login.jsp (for logging in the user) and authorize.jsp (for granting access) in the OAuth module’s OMOD layer. So, the OAuth module will be controlling the login’s flow for incoming REST calls. I will comment more on it once I prototype this part of the project :slight_smile:

OAuth could be implemented as an alternate authentication scheme. But I really feel that it is not required as OAuth is not a new Authentication Scheme. Rather, it is a third party application authorization framework that will be utilizing the existing Basic Authentication to authenticate the user. @harsha89 what do you think?

OAuth 2 will be a new module. Its main responsibility being issuing and validation tokens for third party apps making REST calls to our servers and managing the activities of these apps. As @harsha89 said and I mentioned in the presentation, the RESTWS module will have to add a filter to redirect incoming calls to the OAuth 2 module for validating the tokens. (This way users can invoke services through access token without exposing their credentials, also we can identify the client that is making the REST call and we have the control to allow or deny the service, track their activity/stats)

The minimum functionality includes Client ( i.e third party application) Registration, Client management (issue client secret/ remove client/ revoke authentication by users) and any one of the four available Grant Types. I am almost done with the Client registration and management part for the prototype. I will be implementing the Authorization Code Grant Type first.

I think I need 2 more days in a “hackathon mode” to complete the prototype. I will resume the work on 30 May, after my exams end :slight_smile:

To get the wider picture of what the OAuth module would do and how it fits in, I prepared a Prezi last month. It should take about 5 minutes to go through. Here is the link:

Also, I am facing some problems to get hibernate to identify the annotated classes as entities (MappingException) while running tests for the prototype. :frowning: . Here are the details of the issue : https://wiki.openmrs.org/questions/83854163/hibernate-annotations-and-tests-in-module When you guys are free, could you take a look and point me to the right direction. :slight_smile:

/cc @darius @surangak @wyclif