ouath2 demo server and client

Oauth api protection has been a hot topic at work, I wanted to make sure I had a firm understanding over and above google.

I found this excellent blog  steeplesoft and had a play with the sample code. It is based on Apache Oltu

You can download the demo application I created based on blog from

https://github.com/bernardjason/playing-with-oauth2.git

I’ve converted the original application to use CXF, as well as using Jetty and some more visual demos. It provides some integration tests to show a CXF client

  • getting a code that has scope to call 2 out of the apis.
  • getting an access_token with scope to call 1 api
  • getting an access_token with scope to call all 2 out of the 3 apis
  • calling the api’s with access_token

to run the integration tests issue maven command

mvn clean package jetty:run

then visit http://127.0.0.1:8080/application

The HTML is simply something to show a possible flow with oauth2. It isn’t secure, this is a demo

The page “http://127.0.0.1:8080/application”

oauth_application

is a fictitious 3rd party who wants to access some API’s you provide to customers.

  • /api/demo/1
  • /api/demo/2
  • /api/demo/3

Click on the top bar “Authorise” and it will redirect the browser to the API authentication page. Here the customer would grant the 3rd party access to some or all of the resources.

oauth_authorise

if this was a full application the customer would have authenticated with username/password onto API provider website.

From the 3 check boxes select an API. I picked 2

oauth_denied

when i tried to call API 1 it denied the request. But when I tried API 2 I was permitted to call the API

oauth_allowed

Of course as it’s oauth access_token the token will expire.  In the case of the demo it is 30 seconds.

The 3rd party has been granted by the customer long term (well 60 seconds for this demo) to some of a customers resources. The access_token is a temporary token to get access to one or more of these resources.

I see its use as

3rd party must be given a client_id and client_secret by API provider or they can do nothing. If this is revoked 3rd party can do nothing.

3rd party must be granted by the customer of the API specific access to their API’s, these may provide personal data or allow an action to be performed on behalf of the customer. Something that would be done infrequently.

3rd party gets an access_token to provide day to day calls to the APIs.

 

Start using Scala

Go to core project and the desktop project, right click and select Configure, then add Scala nature

You should now have in the build path

“Scala Library Container”

Screenshot-Scala - Scala IDE

you need a Scala nature on both projects for adding Scala code to the core as well as running the program via desktop project. That said all logic should sit in core project if you are to run the final app on android and desktop.

find the SimpleGame.java class in the core project and delete it.

Create a new SimpleGame.scala class instead in the same package, with the following code

 

package bernardcjason.libgdx
import com.badlogic.gdx.graphics.GL20
import com.badlogic.gdx.graphics.g2d.SpriteBatch
import com.badlogic.gdx.ApplicationAdapter
import com.badlogic.gdx.graphics.g2d.BitmapFont
import com.badlogic.gdx.Gdx
import com.badlogic.gdx.graphics.Colorclass SimpleGame extends ApplicationAdapter {
    lazy val batch = new SpriteBatch()
    lazy val font = new BitmapFont()
    override def create() {
        font.setColor(Color.BLUE);
    }
    override def render () {
        Gdx.gl.glClearColor(1, 1, 1, 1);
        Gdx.gl.glClear(GL20.GL_COLOR_BUFFER_BIT);
        batch.begin();
        font.draw(batch, "Hello world", Gdx.graphics.getWidth()/2, Gdx.graphics.getHeight()/2);
        batch.end();
    }
}

 

to enable scala when building from command line add

cat core/build.gradle
apply plugin: “scala”
dependencies{
compile “org.scala-lang:scala-library:2.11.6”
}

cat gradle.properties
org.gradle.daemon=true
org.gradle.jvmargs=-Xms128m -Xmx512m
org.gradle.configureondemand=true
org.gradle.jvmargs=-XX:MaxPermSize=512m

./gradlew clean desktop:run

./gradlew clean android:installDebug android:run

See https://github.com/libgdx/libgdx/wiki/Gradle-on-the-Commandline#running-the-desktop-project

Get going with libgdx

First get the setup application, libGDX uses Gradle rather than download the entire library

https://libgdx.badlogicgames.com/download.html

java -jar ~/Downloads/gdx-setup.jar

Screenshot-LibGDX Project Generator

decide on package and game names. Also decide if you want ios and html version. I’ve never tried anything apart from hello world with html and I don;t have access to a mac to have tried ios. I always select desktop for testing my app and android as the end goal.

You may need to update android build tools if message

Screenshot-Message

is displayed. If so run the tool within android sdk directory

tools/android update sdk

If like me you like using an IDE, select advanced settings to generate eclipse project files, so that you can import into eclipse later on

Screenshot-Advanced Settings

Once the code is generated by gdx-setup you can then go to eclipse and import the projects. The tool has created the .project, .classpath and .settings for you.

go to eclipse menu, select File then Import.

Screenshot-Import

 

Make sure you import core project and desktop project into eclipse.