How to implement a distributed OAuth 2.0 system

Some months ago (more than a year), I was playing with the WordPress REST API. I did an analysis about how to implement a distributed OAuth 2.0 system as an attempt to collaborate with the community. I wrote it as a comment over a discussion post, but I am going to replicate that here in order to save it with my other ideas and works.

  • coolapp.com is the site of the app
  • cooldev.com is the WP site of the developer in which I defined the app as multitenant
  • cooluser.wordpress.com is the WP site of the user who wants authorize coolapp.com to interact

01- User access to coolapp.com and says “Hey, I want to use this cool app”
02- coolapp.com ask for its server and user writes cooluser.wordpress.com
03- coolapp.com ask to cooluser.wordpress.com to identify the user
04- the user writes his credentials in cooluser.wordpress.com
05- cooluser.wordpress.com redirects to coolapp.com with a code saying “Yeah, this man is my man”
06- coolapp.com then ask to cooldev.com and says “Hey, I have a user with a code that wants to acces to the resource cooluser.wordpress.com and I am the coolapp.com (this is my client_id and this my client_secret)”
07- cooldev.com generates a token
08- cooldev.com says to cooluser.wordpress.com “Hey, I just generated this token that expires in 3600 seconds”
09- cooluser.wordpress.com says “I would prefer not to work, but you know, it’s ok”
10- cooldev.com sends the response to coolapp.com with the token
11- then coolapp.com using the token, can now ask to cooluser.wordpress.com to do some stuff

If you look at this diagram

Abstract Protocol Flow
Abstract Protocol Flow

Client = coolapp.com
Resource Owner = cooluser.wordpress.com
Authorization Server = cooldev.com
Resource Server = cooluser.wordpress.com

The RFC says:

“The interaction between the authorization server and resource server
is beyond the scope of this specification. The authorization server
may be the same server as the resource server or a separate entity.
A single authorization server may issue access tokens accepted by
multiple resource servers.”

but with some conversation like the one in 8 and 9 it could be resolved.

Convertir un certificado *.pfx a Base64

Hace poco hablamos de como crear un certificado, pero a veces en lugar de como archivo lo necesitamos como una cadena de texto, que generalmente tiene que estar codificada como Base64. Vamos a ver como pasar un certificado *.pfx a Base64 y para ello vamos a usar la consola de Powershell -sí, esa ventana de comandos azul que tienes en tu Windows-.

Seguir leyendo en CantabriaTIC.

Crear un certificado de seguridad *.cer o *.pfx

Crear un certificado, es una de esas cosas tan sencillas de hacer y tan complicadas de recordar, que puede convertirse en una tortura cada vez que hay que hacerlo.

Seguir leyendo en CantabriaTIC.

Autenticación sin SubscriptionKey en el API Manager de Azure

Hoy os contaré, como realizar llamadas autenticadas en el API Manager de Azure sin necesidad de pasar el SubscriptionKey como parte del request.

Seguir leyendo en CantabriaTIC.