OAuth2 setup handler for Domoticz (Request for enhancement)

[BakSeeDaa]

It's been discussed before but IMHO it's getting more and more needed to have Domoticz to provide a OAuth2 setup handler.

Having that, it would facilitate integrating various Domoticz scripts and plugins to exchange data with various external sources and cloud services like Google, Yahoo, Twitter, Github, Microsoft, Facebook, Amazon, Uber, Spotify... well the list can be made very long. Without a Domoticz built in oAuth2 setup handler, developers must rely on making their own solutions for establishing the credentials and it will look different for every implementation and it won't help the end user as things tend to get quite complicated.

The list below quickly summarizes these steps:

• Your application identifies the permissions it needs.
• Your application redirects the user to Google along with the list of requested permissions.
• The user decides whether to grant the permissions to your application.
• Your application finds out what the user decided.
• If the user granted the requested permissions, your application retrieves tokens needed to make API requests on the user's behalf.

It would open up many doors for Domoticz to integrate with the outside world ...

Authorization Code Grant

The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.

Code: Select all

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

Note: The lines illustrating steps (A), (B), and (C) are broken into two parts as they pass through the user-agent.

[EddyG]

+1

[dwmw2]

https://en.wikipedia.org/wiki/OAuth#Ope ... sing_OAuth makes interesting reading.

So, looking at the ASCII art diagram above... a client comes in, we redirect it to the OAuth2 server. It comes back again with an access token.

We need to perform *some* dummy request to the actual OAuth2 provider at that point, to ensure that the client didn't just make up some random token and hand it to us.

I don't know that we need to find a C++ library that does this stuff for us; we have fairly much all of what we need. Here's how I'd go about it, in order. First, choose a single Oauth2 provider and with hard-coded URLs, do the following:

• Make a "landing page" which receives the Access Token after the client has authenticated, and hands out a corresponding Domoticz session cookie

• Make an initial redirect page, which redirects to the OAuth2 server for the client to obtain that Access Token.

At this point you can do some basic testing. It's not very secure, but it should work. Next you, we need to do the rest of these tasks, fairly much in any order...

• Add database support for configuring the Oauth2 provider(s) instead of the hard-coded one you chose.

• Add actual *checking* of the Access Token, which was the first thing I mentioned.

• Add database support for mapping OAuth2 identities to local Domoticz accounts.

• Add links to the main login page, to allow logging in with OAuth2 (via the redirect page(s) you added before.

https://www.digitalocean.com/community/ ... to-oauth-2 seems to have a reasonable description of how this works on the wire.

[BakSeeDaa]

https://en.wikipedia.org/wiki/OAuth#Ope ... sing_OAuth makes interesting reading.

As I see it, these are the necessary steps for a Authorization Code Grant made from Domoticz

1. Using the browser of your choice, register an application at a provider, Google, Facebook, Dropbox or wherever ... The result of this step is that you get a client id and a client secret.
2. In the Domoticz GUI, create a new "OAuth2 Authorization" entry. (Maybe letting the user select a service provider from a drop down box) The user needs to give it a unique name and enter authentication server url, the client id, the client secret and a scope. Scope can be a string like READSYSTEM or WRITESYSTEM or whatever the provider requires. Save the entry.
3. The user now clicks the "Authorize" button in the Domoticz GUI. It will redirect to the service providers server using the URL entered in the step above. (A redirect URL is also sent in the request) The user will now be prompted with a login form and the question whether they would like to give your application access to their data.
4. When the user has authorized Domoticz he will be redirected back to the Domoticz redirect_uri that we have specified earlier. Here is a potential problem. If the Domoticz was accessible from Internet, we could just let Domoticz save this data which is in the URL and consists of an Access Token (a bunch of mixed characters). So to make this work we need to redirect to a public web server that simply displays this code for the user and instructs him/her to copy it and save the Access Token in the newly created "OAuth2 Authorization" entry using the Domoticz GUI. EDIT: We can use the loopback interface to receive the OAuth redirect and save the Access Token for us.
5. Now when the user has entered the Access Token and clicks the save button, Domoticz will call the token endpoint and get another access token and a refresh token that can be used in the following communication. The access token may expire quite quickly but the refresh token won't. Domoticz is saving the tokens in a safe place on the disk.

Now that we have a complete "OAuth2 Authorization" entry in Domoticz, Domoticz should expose it to Lua and to different plugins so that they can make calls to the service provider using URLs. Domoticz takes care of validate the tokens and refreshing them whenever needed. All that must be done "under the hood" and without bothering the user more than scripting something similar to

Code: Select all

commandArray['oAuth']={provider = "some provider", url = "https://api.someprovider/serviceinfo/categories?parameters=true"}

So the first question would be: Why should we integrate the oAuth2 setup handler in Domoticz? I believe there are many advantages to do that instead of building it "around" Domoticz using a script environment etc.

[BakSeeDaa]

The more I read about this I realize that we shouldn't try to build our own generic OAuth 2.0 client. It would be impossible to maintain good support for every OAuth 2 provider. There are just too many of them and they do differ.

The good news is that I found this : League/oauth2-client

The league/oauth2-client package provides an easy base for integration with various OAuth 2.0 Providers around the web, without overburdening your application with the concerns of RFC 6749.

Sounds good! Let's keep Domoticz lightweight.

The league/oauth2-client package provides built in support for

• Facebook
  Github
  Google
  Instagram
  LinkedIn

Furthermore it can be extended by 3rd party providers to make the OAuth2 client deal with the following providers

• Amazon
• Auth0
• Azure Active Directory
• BASE
• Battle.net
• Bitbucket
• BookingSync
• Box
• Buffer
• Canvas
• Clever
• Clover
• Coinbase
• DeviantArt
• DigitalOcean
• Discord
• Dribbble
• Dropbox
• Drupal
• Ecwid
• Elance
• Envato
• Eventbrite
• Fitbit
• Foursquare
• FreeAgent
• GitLab
• Harvest
• HeadHunter
• Heroku
• Imgur
• Keycloak
• Mail.ru
• Marketo
• Meetup
• Microsoft
• Mollie
• Naver
• Nest
• Odnoklassniki
• Optimizely
• PayPal
• Phabricator
• PSN
• Rdio
• Reddit
• Resource Guru
• Salesforce
• Shopify
• Slack
• Spotify
• Stripe
• Strava
• Square
• StackExchange
• SuperJob
• ThirtySevenSignals
• Trakt.tv
• Twitch.tv
• Uber
• Unsplash
• Untappd
• Vend
• Vimeo
• Vkontakte
• Wrike
• Yahoo
• Yandex
• Yelp
• Zendesk
• ZenPayroll

Looking more at this...