TsgcHTTP_OAuth2_Server

This component provides the OAuth2 protocol implementation in Server Side Components.

The server components have a property called Authorization.OAuth.OAuth2 where you can assign an instance of TsgcHTTP_OAuth2_Server, so if Authentication is enabled and OAuh2 property is attached to OAuth2 Server Component, the WebSocket and HTTP Requests require a Bearer Token to be processed, if not the connection will be closed automatically.

    OAuth2 = new TsgcHTTP_OAuth2_Server();
    Server.Authentication.Enabled = true;
    Server.Authentication.OAuth.OAuth2 = OAuth2;

The server supports the following authorization types:

• auth2Code: It's used to perform authentication and authorization in the majority of application types, including single page applications, web applications, and natively installed applications. The flow enables apps to securely acquire access_tokens that can be used to access resources secured, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user.

• auth2ClientCredentials: This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as daemons or service accounts.

• password (Resource Owner Password Credentials): Allows an application to sign in the user by directly handling their credentials. The client sends the user's username and password to the token endpoint.

• urn:ietf:params:oauth:grant-type:device_code (Device Code): Device Authorization Grant per RFC 8628. Enables input-constrained devices (smart TVs, IoT devices) to obtain user authorization by having the user authorize on a secondary device.

The Authorization type can be customized when registering the App, by default, all authorization types are supported.

EndPoints

By default, the component is configured with the following endpoints to handle Authorization and Token request

Authorization: /sgc/oauth2/auth

Token: /sgc/oauth2/token

Revocation: /sgc/oauth2/revoke

Introspection: /sgc/oauth2/introspect

Device Authorization: /sgc/oauth2/device

Device Verification: /sgc/oauth2/device/verify

So if server is listening on port 443 and domain is www.esegece.com, the EndPoints will be:

Authorization: https://www.esegece.com/sgc/oauth2/auth

Token: https://www.esegece.com/sgc/oauth2/token

Revocation: https://www.esegece.com/sgc/oauth2/revoke

Introspection: https://www.esegece.com/sgc/oauth2/introspect

Device Authorization: https://www.esegece.com/sgc/oauth2/device

Device Verification: https://www.esegece.com/sgc/oauth2/device/verify

The endpoints can be configured in OAuth2Options property.

By default, PKCE (is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks) is enabled.

Configuration

Before you can begin the OAuth2 process, you must register which Apps will be available, this is done using Apps property of OAuth2 server component.

Register App

Use Apps.AddApp to add a new Application to OAuth2 server, you must set the following parameters:

• App Name: is the name of the Application. Example: MyApp
• RedirectURI: is where the responses will be redirected. Example: http://127.0.0.1:8080
• ClientId: is public information and is the ID of the client.
• ClientSecret: must be kept confidential.

Optionally you can set the following parameters:

• ExpiresIn: by default is 3600 seconds, so the token will expire in 1 hour, you can set a greater value if you need.
• RefreshToken: by default refresh tokens are supported, if not, set this parameter to false.
• AllowedGrantTypes: by default all grant types are supported (auth2Code and auth2ClientCredentials), but the server can be configured to only allow Code Authorization or only Client Credentials.

Delete App

Use Apps.RemoveApp to delete an existing App.

AddToken

If the server has been restarted while there were some token issued, you can recover these tokens using the method AddToken before starting the OAuth2 Server and after registering the Apps

• AppName: the name of the application.
• Token: access token.
• Expires: when the token expires.
• RefreshToken: refresh token.

RemoveToken

Removes an already issued Token.

OAuth2Options

The OAuth2Options property allows configuring the server endpoints and optional features.

Revocation

Token revocation per RFC 7009. When enabled, clients can revoke previously issued access or refresh tokens.

• OAuth2Options.Revocation.Enabled: set to True to enable the revocation endpoint.
• OAuth2Options.Revocation.URL: the endpoint URL path. Default: /sgc/oauth2/revoke

Introspection

Token introspection per RFC 7662. When enabled, resource servers can query the authorization server to determine the active state and metadata of a token.

• OAuth2Options.Introspection.Enabled: set to True to enable the introspection endpoint.
• OAuth2Options.Introspection.URL: the endpoint URL path. Default: /sgc/oauth2/introspect

DeviceAuthorization

Device Authorization Grant per RFC 8628. When enabled, input-constrained devices can request authorization by having the user authorize on a secondary device.

• OAuth2Options.DeviceAuthorization.Enabled: set to True to enable the device authorization endpoint.
• OAuth2Options.DeviceAuthorization.URL: the endpoint URL path for device code requests. Default: /sgc/oauth2/device
• OAuth2Options.DeviceAuthorization.VerificationURL: the endpoint URL path for the user verification page. Default: /sgc/oauth2/device/verify
• OAuth2Options.DeviceAuthorization.ExpiresIn: the lifetime in seconds of the device code. Default: 600 (10 minutes).
• OAuth2Options.DeviceAuthorization.Interval: the minimum polling interval in seconds that the client should use when polling the token endpoint. Default: 5.