Page MenuHomestyx hydra
Files F8228780

No OneTemporary
Actions

View Options

diff --git a/src/applications/oauthserver/controller/base/PhabricatorOAuthServerController.php b/src/applications/oauthserver/controller/base/PhabricatorOAuthServerController.php
index 2a6843e9b3..31c7940901 100644
--- a/src/applications/oauthserver/controller/base/PhabricatorOAuthServerController.php
+++ b/src/applications/oauthserver/controller/base/PhabricatorOAuthServerController.php
@@ -1,84 +1,95 @@
<?php
/*
* Copyright 2012 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
abstract class PhabricatorOAuthServerController
extends PhabricatorController {
public function buildStandardPageResponse($view, array $data) {
$user = $this->getRequest()->getUser();
$page = $this->buildStandardPageView();
$page->setApplicationName('OAuth Server');
$page->setBaseURI('/oauthserver/');
$page->setTitle(idx($data, 'title'));
$nav = new AphrontSideNavFilterView();
$nav->setBaseURI(new PhutilURI('/oauthserver/'));
$nav->addLabel('Client Authorizations');
$nav->addFilter('clientauthorization',
'My Authorizations');
$nav->addSpacer();
$nav->addLabel('Clients');
$nav->addFilter('client/create',
'Create Client');
foreach ($this->getExtraClientFilters() as $filter) {
$nav->addFilter($filter['url'],
$filter['label']);
}
$nav->addFilter('client',
'My Clients');
$nav->selectFilter($this->getFilter(),
'clientauthorization');
$nav->appendChild($view);
$page->appendChild($nav);
+ $doc_href = PhabricatorEnv::getDoclink(
+ 'article/Using_the_Phabricator_OAuth_Server.html'
+ );
+ $page->setTabs(
+ array(
+ 'help' => array(
+ 'name' => 'Help',
+ 'href' => $doc_href,
+ ),
+ ),
+ null);
$response = new AphrontWebpageResponse();
return $response->setContent($page->render());
}
protected function getFilter() {
return 'clientauthorization';
}
protected function getExtraClientFilters() {
return array();
}
protected function getHighlightPHIDs() {
$phids = array();
$request = $this->getRequest();
$edited = $request->getStr('edited');
$new = $request->getStr('new');
if ($edited) {
$phids[$edited] = $edited;
}
if ($new) {
$phids[$new] = $new;
}
return $phids;
}
protected function buildErrorView($error_message) {
$error = new AphrontErrorView();
$error->setSeverity(AphrontErrorView::SEVERITY_ERROR);
$error->setTitle($error_message);
return $error;
}
}
diff --git a/src/applications/oauthserver/controller/base/__init__.php b/src/applications/oauthserver/controller/base/__init__.php
index 7e68dc4780..c00487b8b9 100644
--- a/src/applications/oauthserver/controller/base/__init__.php
+++ b/src/applications/oauthserver/controller/base/__init__.php
@@ -1,18 +1,19 @@
<?php
/**
* This file is automatically generated. Lint this module to rebuild it.
* @generated
*/
phutil_require_module('phabricator', 'aphront/response/webpage');
phutil_require_module('phabricator', 'applications/base/controller/base');
+phutil_require_module('phabricator', 'infrastructure/env');
phutil_require_module('phabricator', 'view/form/error');
phutil_require_module('phabricator', 'view/layout/sidenavfilter');
phutil_require_module('phutil', 'parser/uri');
phutil_require_module('phutil', 'utils');
phutil_require_source('PhabricatorOAuthServerController.php');
diff --git a/src/applications/oauthserver/controller/clientauthorization/list/PhabricatorOAuthClientAuthorizationListController.php b/src/applications/oauthserver/controller/clientauthorization/list/PhabricatorOAuthClientAuthorizationListController.php
index 49351fca13..5cd83547e3 100644
--- a/src/applications/oauthserver/controller/clientauthorization/list/PhabricatorOAuthClientAuthorizationListController.php
+++ b/src/applications/oauthserver/controller/clientauthorization/list/PhabricatorOAuthClientAuthorizationListController.php
@@ -1,161 +1,164 @@
<?php
/*
* Copyright 2012 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @group oauthserver
*/
final class PhabricatorOAuthClientAuthorizationListController
extends PhabricatorOAuthClientAuthorizationBaseController {
protected function getFilter() {
return 'clientauthorization';
}
public function processRequest() {
$title = 'OAuth Client Authorizations';
$request = $this->getRequest();
$current_user = $request->getUser();
$authorizations = id(new PhabricatorOAuthClientAuthorization())
->loadAllWhere('userPHID = %s',
$current_user->getPHID());
$client_authorizations = mpull($authorizations, null, 'getClientPHID');
$client_phids = array_keys($client_authorizations);
if ($client_phids) {
$clients = id(new PhabricatorOAuthServerClient())
->loadAllWhere('phid in (%Ls)',
$client_phids);
} else {
$clients = array();
}
$client_dict = mpull($clients, null, 'getPHID');
$rows = array();
$rowc = array();
$highlight = $this->getHighlightPHIDs();
foreach ($client_authorizations as $client_phid => $authorization) {
$client = $client_dict[$client_phid];
$created = phabricator_datetime($authorization->getDateCreated(),
$current_user);
$updated = phabricator_datetime($authorization->getDateModified(),
$current_user);
+ $scope_doc_href = PhabricatorEnv::getDoclink(
+ 'article/Using_the_Phabricator_OAuth_Server.html#scopes'
+ );
$row = array(
phutil_render_tag(
'a',
array(
'href' => $client->getViewURI(),
),
phutil_escape_html($client->getName())
),
phutil_render_tag(
'a',
array(
- 'href' => 'TODO - link to scope about',
+ 'href' => $scope_doc_href,
),
$authorization->getScopeString()
),
phabricator_datetime(
$authorization->getDateCreated(),
$current_user
),
phabricator_datetime(
$authorization->getDateModified(),
$current_user
),
phutil_render_tag(
'a',
array(
'class' => 'small button grey',
'href' => $authorization->getEditURI(),
),
'Edit'
),
);
$rows[] = $row;
if (isset($highlight[$authorization->getPHID()])) {
$rowc[] = 'highlighted';
} else {
$rowc[] = '';
}
}
$panel = $this->buildClientAuthorizationList($rows, $rowc, $title);
return $this->buildStandardPageResponse(
array($this->getNoticeView(),
$panel),
array('title' => $title)
);
}
private function buildClientAuthorizationList($rows, $rowc, $title) {
$table = new AphrontTableView($rows);
$table->setRowClasses($rowc);
$table->setHeaders(
array(
'Client',
'Scope',
'Created',
'Updated',
'',
));
$table->setColumnClasses(
array(
'wide pri',
'',
'',
'',
'action',
));
if (empty($rows)) {
$table->setNoDataString(
'You have not authorized any clients for this OAuthServer.'
);
}
$panel = new AphrontPanelView();
$panel->appendChild($table);
$panel->setHeader($title);
return $panel;
}
private function getNoticeView() {
$edited = $this->getRequest()->getStr('edited');
$deleted = $this->getRequest()->getBool('deleted');
if ($edited) {
$edited = phutil_escape_html($edited);
$title = 'Successfully edited client authorization.';
} else if ($deleted) {
$title = 'Successfully deleted client authorization.';
} else {
$title = null;
}
if ($title) {
$view = new AphrontErrorView();
$view->setTitle($title);
$view->setSeverity(AphrontErrorView::SEVERITY_NOTICE);
} else {
$view = null;
}
return $view;
}
}
diff --git a/src/applications/oauthserver/controller/clientauthorization/list/__init__.php b/src/applications/oauthserver/controller/clientauthorization/list/__init__.php
index 839fc58ea8..ede9a9b918 100644
--- a/src/applications/oauthserver/controller/clientauthorization/list/__init__.php
+++ b/src/applications/oauthserver/controller/clientauthorization/list/__init__.php
@@ -1,21 +1,22 @@
<?php
/**
* This file is automatically generated. Lint this module to rebuild it.
* @generated
*/
phutil_require_module('phabricator', 'applications/oauthserver/controller/clientauthorization/base');
phutil_require_module('phabricator', 'applications/oauthserver/storage/client');
phutil_require_module('phabricator', 'applications/oauthserver/storage/clientauthorization');
+phutil_require_module('phabricator', 'infrastructure/env');
phutil_require_module('phabricator', 'view/control/table');
phutil_require_module('phabricator', 'view/form/error');
phutil_require_module('phabricator', 'view/layout/panel');
phutil_require_module('phabricator', 'view/utils');
phutil_require_module('phutil', 'markup');
phutil_require_module('phutil', 'utils');
phutil_require_source('PhabricatorOAuthClientAuthorizationListController.php');
diff --git a/src/docs/developer/using_oauthserver.diviner b/src/docs/developer/using_oauthserver.diviner
new file mode 100644
index 0000000000..9a1a989e66
--- /dev/null
+++ b/src/docs/developer/using_oauthserver.diviner
@@ -0,0 +1,120 @@
+@title Using the Phabricator OAuth Server
+@group developer
+
+How to use the Phabricator OAuth Server.
+
+= Overview =
+
+Phabricator includes an OAuth Server which supports the
+##Authorization Code Grant## flow as described in the OAuth 2.0
+specification:
+
+http://tools.ietf.org/html/draft-ietf-oauth-v2-23
+
+This functionality can allow clients to integrate with a given
+Phabricator instance in a secure way with granular data access.
+For example, Phabricator can be used as a central identity store for any
+clients that implement OAuth 2.0.
+
+= Vocabulary =
+
+- **Access token** - a token which allows a client to ask for data on
+behalf of a resource owner. A given client will only be able to access
+data included in the scope(s) the resource owner authorized that client for.
+- **Authorization code** - a short-lived code which allows an authenticated
+client to ask for an access token on behalf of some resource owner.
+- **Client** - this is the application or system asking for data from the
+OAuth Server on behalf of the resource owner.
+- **Resource owner** - this is the user the client and OAuth Server are
+concerned with on a given request.
+- **Scope** - this defines a specific piece of granular data a client can
+or can not access on behalf of a user. For example, if authorized for the
+"whoami" scope on behalf of a given resource owner, the client can get the
+results of Conduit.whoami for that resource owner when authenticated with
+a valid access token.
+
+= Setup - Creating a Client =
+
+# Visit https://phabricator.example.com/oauthserver/client/create/
+# Fill out the form
+# Profit
+
+= Obtaining an Authorization Code =
+
+POST or GET https://phabricator.example.com/oauthserver/auth/ with the
+following parameters:
+
+- Required - **client_id** - the id of the newly registered client.
+- Required - **response_type** - the desired type of authorization code
+response. Only code is supported at this time.
+- Optional - **redirect_uri** - override the redirect_uri the client
+registered. This redirect_uri must have the same fully-qualified domain
+and have at least the same query parameters as the redirect_uri the client
+registered, as well as have no fragments.
+- Optional - **scope** - specify what scope(s) the client needs access to
+in a space-delimited list.
+- Optional - **state** - an opaque value the client can send to the server
+for programmatic excellence. Some clients use this value to implement XSRF
+protection or for debugging purposes.
+
+If done correctly and the resource owner has not yet authorized the client
+for the desired scope, then the resource owner will be presented with an
+interface to authorize the client for the desired scope. The OAuth Server
+will redirect to the pertinent redirect_uri with an authorization code or
+an error indicating the resource owner did not authorize the client, depending.
+
+If done correctly and the resource owner has already authorized the client for
+the desired scope, then the OAuth Server will redirect to the pertinent
+redirect_uri with a valid authorization code.
+
+If there is an error, the OAuth Server will return a descriptive error
+message. This error will be presented to the resource owner on the
+Phabricator domain if there is reason to believe there is something fishy
+with the client. For example, if there is an issue with the redirect_uri.
+Otherwise, the OAuth Server will redirect to the pertinent redirect_uri
+and include the pertinent error information.
+
+= Obtaining an Access Token =
+
+POST or GET https://phabricator.example.com/oauthserver/token/
+with the following parameters:
+
+- Required - **client_id** - the id of the client
+- Required - **client_secret** - the secret of the client.
+This is used to authenticate the client.
+- Required - **code** - the authorization code obtained earlier.
+- Required - **grant_type** - the desired type of access grant.
+Only token is supported at this time.
+- Optional - **redirect_uri** - should be the exact same redirect_uri as
+the redirect_uri specified to obtain the authorization code. If no
+redirect_uri was specified to obtain the authorization code then this
+should not be specified.
+
+If done correctly, the OAuth Server will redirect to the pertinent
+redirect_uri with an access token.
+
+If there is an error, the OAuth Server will return a descriptive error
+message.
+
+= Using an Access Token =
+
+Simply include a query param with the key of "access_token" and the value
+as the earlier obtained access token. For example:
+
+ https://phabricator.example.com/api/user.whoami?access_token=ykc7ly7vtibj334oga4fnfbuvnwz4ocp
+
+If the token has expired or is otherwise invalid, the client will receive
+an error indicating as such. In these cases, the client should re-initiate
+the entire ##Authorization Code Grant## flow.
+
+NOTE: See "Scopes" section below for more information on what data is
+currently exposed through the OAuth Server.
+
+= Scopes =
+
+There are only two scopes supported at this time.
+
+- **offline_access** - allows an access token to work indefinitely without
+expiring.
+- **whoami** - allows the client to access the results of Conduit.whoami on
+behalf of the resource owner.

File Metadata

Mime Type
text/x-diff
Expires
Wed, Feb 4, 7:41 AM (1 d, 8 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
739013
Default Alt Text
(15 KB)

Event Timeline

styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)