Versions Compared

Old Version 1

changes.mady.by.user Géza Nagy

Saved on

compared with

New Version Current

changes.mady.by.user Géza Nagy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

Oregional Odoo RestAPI endpoint: /orestapi/oauth2/authorization

Resource owner (Odoo user) authorizes a Confluence application (client) to obtain access token.

We use "authorization code" type.


Tip

https://tools.ietf.org/html/rfc6749#section-1.3.1


Table of Contents



Panel
titleRFC6749 3.1

https://tools.ietf.org/html/rfc6749#section-3.1

Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.

The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.

Since requests to the authorization endpoint result in user authentication and the transmission of clear-text credentials (in the HTTP response), the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the authorization endpoint.

The authorization server MUST support the use of the HTTP "GET" method [RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.



Request

Panel
title4.1. Authorization Code Grant -> 4.1.1. Authorization Request

https://tools.ietf.org/html/rfc6749#section-4.1.1

The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format


Code Block
languagebash
themeEmacs
titleSample request
linenumberstrue
curl -v -i -k -H "Authorization: OAuth" -X GET https://odoo.dev.oregional.huexample.com/orestapi/oauth2/authorization?response_type=code&client_id=CLIENT_ID&redirect_uri=URI&scope=read&state=STATE


ItemDescriptionNotes
endpoint/orestapi/oauth2/authorizationEndpoint for oauth2 authorization code grant
típusú
authorization
folyamathoz
flow
http methodGET
Header
authorization

OAuth


Parametershttps://tools.ietf.org/html/rfc6749#section-4.1.1
response_type

REQUIRED

Value MUST be set to "code".

Always use "code", it is a static value

client_id

REQUIRED

The client (Confluence instance) identifier

Created and stored during application linking
redirect_uri

REQUIRED

x-www-form-urlencoded format

A

REDIRECT_URI

-nek meg kell egyeznie az alkalmazáshoz beállított értékkel, pl:https://confluence.hu/callback?url=

must match the setting for the APPLICATION:

The redirection endpoint URI MUST be an absolute URI as defined by

[RFC3986] Section 4.3. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.

scope

REQUIRED

The scope of the access request


state

REQUIRED

The value is included when redirecting the user-agent back to the client

A

STATE

egy ellenőrző szám, amit a visszadobás után kell validálni, hogy valóban jó helyről jött-e a visszairányítás (használjunk itt Salted SHA256-t, amiben a session id legyen az érték)
Továbbá ebben tároljuk el, hogy a végső Confluence URL mi lesz majd. Pl: ha az ellenőrző kód 12345678, akkor mögé fűzzük a végső Confluence cél URL-t

is a control string that must be validated by the client




Response

Panel
title4.1. Authorization Code Grant -> 4.1.2. Authorization Response

https://tools.ietf.org/html/rfc6749#section-4.1.2

If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format


Code Block
languagebash
themeMidnight
titleSample response
linenumberstrue
{
 "code": "fsfsdfsdsd"
 "state": "fesfmsdpofmd89222"
}


ParentKeyValue TypeDescriptionNotes
-code

Generated by Odoo.

Must be included later in a token request LINK

Not reusable (can be used once)

REQUIRED. The authorization code generated by the authorization server.

The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once.

If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.

The authorization code is bound to the client identifier and redirection URI.

-state

REQUIRED if the "state" parameter was present in the client authorization request.

The exact value received from the client in the request

The remote application should validate if state is same as it was sent