OAuth2 | TsgcHTTP_OAuth2_Server

This component provides the OAuth2 protocol implementation in Server Side Components.

The server components have a property called Authorization.OAuth.OAuth2 where you can assign an instance of TsgcHTTP_OAuth2_Server, so if Authentication is enabled and OAuh2 property is attached to OAuth2 Server Component, the WebSocket and HTTP Requests require a Bearer Token to be processed, if not the connection will be closed automatically.

OAuth2 = new TsgcHTTP_OAuth2_Server();
Server.Authentication.Enabled = true;
Server.Authentication.OAuth.OAuth2 = OAuth2;

The server supports the following authorization types:

• auth2Code: It's used to perform authentication and authorization in the majority of application types, including single page applications, web applications, and natively installed applications. The flow enables apps to securely acquire access_tokens that can be used to access resources secured, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user.

• auth2ClientCredentials: This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as daemons or service accounts.

• password (Resource Owner Password Credentials): Allows an application to sign in the user by directly handling their credentials. The client sends the user's username and password to the token endpoint.

• urn:ietf:params:oauth:grant-type:device_code (Device Code): Device Authorization Grant per RFC 8628. Enables input-constrained devices (smart TVs, IoT devices) to obtain user authorization by having the user authorize on a secondary device.

The Authorization type can be customized when registering the App, by default, all authorization types are supported.

EndPoints

By default, the component is configured with the following endpoints to handle Authorization and Token request

Authorization: /sgc/oauth2/auth

Token: /sgc/oauth2/token

Revocation: /sgc/oauth2/revoke

Introspection: /sgc/oauth2/introspect

Device Authorization: /sgc/oauth2/device

Device Verification: /sgc/oauth2/device/verify

So if server is listening on port 443 and domain is www.esegece.com, the EndPoints will be:

Authorization: https://www.esegece.com/sgc/oauth2/auth

Token: https://www.esegece.com/sgc/oauth2/token

Revocation: https://www.esegece.com/sgc/oauth2/revoke

Introspection: https://www.esegece.com/sgc/oauth2/introspect

Device Authorization: https://www.esegece.com/sgc/oauth2/device

Device Verification: https://www.esegece.com/sgc/oauth2/device/verify

The endpoints can be configured in OAuth2Options property.

By default, PKCE (is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks) is enabled.

Configuration

Before you can begin the OAuth2 process, you must register which Apps will be available, this is done using Apps property of OAuth2 server component.

Register App

Use Apps.AddApp to add a new Application to OAuth2 server, you must set the following parameters:

• App Name: is the name of the Application. Example: MyApp
• RedirectURI: is where the responses will be redirected. Example: http://127.0.0.1:8080
• ClientId: is public information and is the ID of the client.
• ClientSecret: must be kept confidential.

Optionally you can set the following parameters:

• ExpiresIn: by default is 3600 seconds, so the token will expire in 1 hour, you can set a greater value if you need.
• RefreshToken: by default refresh tokens are supported, if not, set this parameter to false.
• AllowedGrantTypes: by default all grant types are supported (auth2Code and auth2ClientCredentials), but the server can be configured to only allow Code Authorization or only Client Credentials.

Delete App

Use Apps.RemoveApp to delete an existing App.

AddToken

If the server has been restarted while there were some token issued, you can recover these tokens using the method AddToken before starting the OAuth2 Server and after registering the Apps

• AppName: the name of the application.
• Token: access token.
• Expires: when the token expires.
• RefreshToken: refresh token.

RemoveToken

Removes an already issued Token.

OAuth2Options

The OAuth2Options property allows configuring the server endpoints and optional features.

Revocation

Token revocation per RFC 7009. When enabled, clients can revoke previously issued access or refresh tokens.

• OAuth2Options.Revocation.Enabled: set to True to enable the revocation endpoint.
• OAuth2Options.Revocation.URL: the endpoint URL path. Default: /sgc/oauth2/revoke

Introspection

Token introspection per RFC 7662. When enabled, resource servers can query the authorization server to determine the active state and metadata of a token.

• OAuth2Options.Introspection.Enabled: set to True to enable the introspection endpoint.
• OAuth2Options.Introspection.URL: the endpoint URL path. Default: /sgc/oauth2/introspect

DeviceAuthorization

Device Authorization Grant per RFC 8628. When enabled, input-constrained devices can request authorization by having the user authorize on a secondary device.

• OAuth2Options.DeviceAuthorization.Enabled: set to True to enable the device authorization endpoint.
• OAuth2Options.DeviceAuthorization.URL: the endpoint URL path for device code requests. Default: /sgc/oauth2/device
• OAuth2Options.DeviceAuthorization.VerificationURL: the endpoint URL path for the user verification page. Default: /sgc/oauth2/device/verify
• OAuth2Options.DeviceAuthorization.ExpiresIn: the lifetime in seconds of the device code. Default: 600 (10 minutes).
• OAuth2Options.DeviceAuthorization.Interval: the minimum polling interval in seconds that the client should use when polling the token endpoint. Default: 5.

Most common uses

• QuickStart
  • OAuth2 Server Example
  • OAuth2 Customize Sign-in HTML
  • OAuth2 Server Endpoints
  • OAuth2 Register Apps
  • OAuth2 Recover Access Tokens

• Authenticate
  • OAuth2 Server Autentication
  • OAuth2 None Authenticate some URLs

Connections

While OAuth2 is enabled on Server-side, if a websocket client tries to connect without providing a valid Token, the connection will be closed automatically. The same applies to HTTP requests.

TsgcWebSocketClient can be configured to request a OAuth2 token and sent when connects to server. You have 2 options in order to send a Bearer Token:

1. Use Authentication.Token property, this is usefull when you have a valid token obtained from an external third-party and you only want to pass as a connection header to get Access to server.

Authorization.Enabled = true;
Authorization.Token.Enabled = true;
Authorization.Token.AuthName = "Bearer";
Authorization.Token.AuthToken = "your token here";		

2. Attach a TsgcHTTP_OAuth2_Client and let the client request an Access Token and send it automatically when websocket client connects to server.

Events

Some events are provided to handle the OAuth2 Flow Control.

OnOAuth2BeforeRequest

This event is called when a new HTTP connection is established with server and before checks if the connection request is trying to do an Authorization or request a new token. If you don't need that this request is processed by OAuth2 server, set Cancel parameter to true.

The event is called too when checks if the Token is valid.

OnOAuth2BeforeDispatchPage

The event is called before the Authorization web-page is showed to user, allows customizing the HTML code shown to user.

OnOAuth2Authentication

When a client request Authorization, server shows a page were user can allow connection and requires to login to server. This is the event where you can read the User/Password set by user and accept or not the connection.

OnOAuth2AfterAccessToken

After the server process successfully the Access Token, this event is called. Useful for log purposes.

OnOAuth2AfterRefreshToken

After the server process successfully the Refresh Token, this event is called. Useful for log purposes.

OnOAuth2AfterValidateAccessToken

When a client do a request with a Token, this token is processed by server to check if it's valid or not, if the token is valid and not expired, this event is called. Useful for log purposes.

OnOAuth2Unauthorized

This event is called before the connection is closed because there is no authorization token or is invalid, by default, the Disconnect parameter is true, you can set to false if you still want to accept the connection. This event can configure which endpoints must implement OAuth2 Authorization or not.

OnOAuth2AfterRevokeToken

Called after a token revocation attempt. This event is fired when a client sends a request to the revocation endpoint to invalidate a previously issued token. Useful for logging revocation activity.

OnOAuth2AfterIntrospectToken

Called after a token introspection request. This event is fired when a resource server queries the introspection endpoint to check the active state and metadata of a token. Useful for logging and auditing token validation.

OnOAuth2DeviceAuthorization

Called when a device authorization request is received at the device authorization endpoint. The device is requesting a device code and user code pair. This event allows customizing the response or logging the request.

OnOAuth2DeviceCodeVerification

Called when a user submits a verification code on the device verification page. This event allows the server to validate the user code entered by the user and authorize or deny the device.

DPoP (RFC 9449) - Server-Side Support

DPoP (Demonstrating Proof-of-Possession) per RFC 9449 enables the server to require sender-constrained tokens, ensuring that access tokens can only be used by the client that originally obtained them.

OAuth2Options.DPoP

• OAuth2Options.DPoP: Boolean. When set to True, enables DPoP-bound token validation. The server will require a valid DPoP proof header on resource requests that use DPoP-bound tokens.

OnOAuth2ValidateDPoP

This event is fired when a resource request includes a DPoP proof header and the server needs to validate it. Use this event to implement custom DPoP proof validation logic, such as verifying the proof signature, checking the token binding (jkt claim), and validating the proof claims (htm, htu, iat, ath).

void OnOAuth2ValidateDPoP(TObject Sender, const string DPoPProof, const string AccessToken,
  const string Method, const string URL, ref bool Valid)
{
  // Custom DPoP proof validation
  Valid = true; // Set to false to reject the request
}

Bug Fixes

• Fixed SetOAuth2Options memory leak that could occur when reassigning OAuth2 options.