OAuth Class

Properties   Methods   Events   Configuration Settings   Errors  

The OAuth class is used to authorize a client and provide an authorization string used in future requests.

Syntax

class ipworks.OAuth

Remarks

The OAuth class supports both plaintext and SSL/TLS connections. When connecting over SSL/TLS the on_ssl_server_authentication event allows you to check the server identity and other security attributes. The on_ssl_status event provides information about the SSL handshake. Additional SSL related settings are also supported via the config method.

The OAuth class provides an easy way to obtain an authorization string for future requests to a service. The class implements an OAuth 2.0 client.

To begin using the class you will first need to register your application with the service you want to use. During this process you should obtain a client_id and client_secret as well as the server_auth_url and server_token_url for the authorization server. Then set client_profile to the client type that best describes your situation and call get_authorization.

The following client types are currently supported by the class:

  • Application (desktop application)
  • WebServer (server side application such as a web site)
  • Device (an application without browser access such as a game console)
  • Mobile (phone or tablet application)
  • Browser (javascript application)
  • JWT (server to server authentication using a JWT bearer token such as Google service account authentication)
Please see the detailed descriptions below for each client type and how the class is used to authorize an application using that client type.

Application Client Type

The application client type is applicable to applications that are run by the user directly. For instance a windows form application would use the application client type. To authorize your application (client) using the application client type follow the steps below.

First, set client_profile to cfApplication. This defines the client type the class will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application.

Next, call get_authorization to begin the authorization process. When get_authorization is called the class will build the URL to which the user will be directed and fire the on_launch_browser event. The class will then launch the browser using the command and URL shown in the on_launch_browser event.

The user will authenticate to the service, and then be redirected back to an embedded web server that was automatically started when get_authorization was called. At this time the on_return_url event will fire. This event provides an opportunity to provide a custom response to your user that they will see in their browser.

The class will then automatically exchange the grant that was returned by the authorization server for the access token using the HTTP endpoint specified in server_token_url.

The authorization is now complete and the get_authorization method will return the authorization string. To use the authorization string with any of our classs simply pass this value to the Authorization property before making the request.

A simple example is shown below.

component.ClientId = "MyId";
component.ClientSecret = "MyPassword";
component.ServerAuthURL = "https://accounts.google.com/o/oauth2/auth";
component.ServerTokenURL = "https://accounts.google.com/o/oauth2/token";
HTTP.Authorization = component.GetAuthorization();
HTTP.Get("https://www.googleapis.com/oauth2/v1/userinfo");

WebServer Client Type

The WebServer client type is applicable to applications that are run on the server side where the user uses the application from a web browser. To authorize your application (client) using this client type follow the steps below.

First, set client_profile to cfWebServer. This defines the client type the component will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application. Set return_url to the page on your site that will be the endpoint the user is redirected back to after authentication.

Next, call get_authorization_url. This will return a URL to which the user should be redirected. Redirect the user to this URL.

After the user authenticates and is returned to the page on your site specified by return_url, parse the "code" query string parameter from the incoming request. Set authorization_code to this value.

Call get_authorization to exchange the code specified in authorization_code for a token from the server specified by server_token_url. get_authorization returns the authorization string. To use the authorization string with any of our components simply pass this value to the Authorization property before making the request.

Device Client Type

The Device client type is applicable to applications that are run on devices where no web browser can be used. For instance a game console would use the device client type. To authorize your application (client) using the device client type follow the steps below.

First, set client_profile to cfDevice. This defines the client type the class will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application. Do not set return_url.

Next, call get_authorization_url. The class will automatically make a request to server_auth_url to obtain a user code for the device. The get_authorization_url method will return the URL your user must visit from another device or computer that has web browser support. The get_authorization_url method will also populate DeviceUserCode. This device user code must also be provided to the user. The user will enter the code at the URL returned by get_authorization_url.

At this time, call get_authorization. The class will begin polling the server specified in server_token_url. The polling interval is specified (in seconds) by the PollingInterval setting.

After the user has authenticated, the get_authorization method will return the authorization string. To use the authorization string with any of our components simply pass this value to the Authorization property before making the request.

Mobile Client Type

The Mobile client type is applicable to applications that are run on devices where a web browser can be used. For instance a mobile phone or tablet. The behavior when using this client type is very similar to the Application client type. The only difference between the Mobile and Application client types is the way the browser is launched, when set to Mobile the on_launch_browser event will fire but the class will not attempt to launch the browser automatically. The browser must be launched manually from code. This behavior is the only difference between the Mobile and Application client type. Please read the steps above for the Application client type for a more detailed look at the process.

JWT Bearer Token (Server to Server) Type

The JWT (JSON Web Token) Bearer Token type is available for server to server authentication. For instance this may be used by web applications to access a Google service. In this case the application will access data on behalf of the service account, not the end user. End user interaction is not required.

First, specify authorization_scope server_token_url and JWTServiceProvider.

Next specify JWT specific values. The use of the JWT profile also requires additional configuration settings to be specified, including a certificate with private key used to sign the JWT. Either specify the JWTJSONKey configuration setting, which will parse the necessary information automatically, or manually specify the following configuration settings:

Additional fields may be added to the JWT using the add_param method.

Example (Google):

oauth.AuthorizationScope = "https://www.googleapis.com/auth/analytics";
oauth.ServerTokenURL =  "https://www.googleapis.com/oauth2/v3/token";
oauth.ClientProfile = OauthClientProfiles.cfJWT;
oauth.Config("JWTServiceProvider=0");
oauth.Config("JWTIssuer=111917875427-g39d5bar90mjgiuf2n5ases9qk0j2q0p@developer.gserviceaccount.com");
oauth.Config("JWTAudience=https://www.googleapis.com/oauth2/v3/token");
oauth.Config("JWTCertStoreType=2");
oauth.Config("JWTCertStore=C:\\MyCertificate.p12");
oauth.Config("JWTCertStorePassword=password");
oauth.Config("JWTCertSubject=*");
oauth.Config("JWTValidityTime=5400"); //in seconds
string authStr = oauth.GetAuthorization();

Example (Microsoft):

oauth.ClientId = "Client_Id";
oauth.ClientProfile = OauthClientProfiles.cfJWT;
oauth.AuthorizationScope = "https://graph.microsoft.com/.default";
oauth.ServerTokenURL = "https://login.microsoftonline.com/" + tenant_id + "/oauth2/V2.0/token";
oauth.Config("JWTCertStoreType=2");
oauth.Config("JWTCertStore=C:\\MyCertificate.p12");
oauth.Config("JWTCertStorePassword=password");
oauth.Config("JWTCertSubject=*");
oauth.Config("JWTValidityTime=3600");
oauth.Config("JWTAudience=https://login.microsoftonline.com/"+ tenant_id + "/oauth2/V2.0/token");
string authStr = oauth.GetAuthorization();

Microsoft Admin Consent Type

The Microsoft Admin Consent type is used when setting up application permissions for apps that authenticate to Microsoft. Typically this type is used in the client credentials grant flow so that the admin can consent to the scopes that are defined by the App's registration in Azure Portal. After the app has been registered, the Application (client) ID will need to be set to the client_id property. Also, a registered return URL must be set to the return_url property.

When the get_authorization method is called, the class will fire the on_launch_browser event and open the admin consent page URL (eg. https://login.microsoftonline.com/common/adminconsent?client_id=CLIENT_ID&redirect_uri=URL). At the same time, the class will start an embedded webserver that will be used to receive the results from the redirect URI.

If the Admin consents to the scopes, the redirect URI will supply the tenant ID of the admin. The tenant ID can be accessed through the Microsoft365AdminConsentTenant configuration and is often needed for authenticating a client later (eg. Client Credentials Grant Flow). Once the Admin consents once, they typically will not need to go through the process again unless the scopes of the application change.

If the Admin does not consent to the scopes, the redirect URI will give an error message and a description of the error. The error message can be found in the Microsoft365AdminConsentError configuration setting and the error description can be found in the Microsoft365AdminConsentErrorDesc configuration setting. Additionally the class fails with an error.

For example:

oauth.ClientId = "Client_ID";
oauth.ClientProfile = OauthClientProfiles.cfMicrosoft365AdminConsent;
oauth.WebServerPort = 8888;
oauth.ReturnURL = "http://localhost:8888";
oauth.GetAuthorization();
string tenant = oauth.Config("Microsoft365AdminConsentTenant");

Property List


The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

access_tokenThe access token returned by the authorization server.
authorization_codeThe authorization code that is exchanged for an access token.
authorization_scopeThe scope request or response parameter used during authorization.
client_idThe id of the client assigned when registering the application.
client_profileThe type of client that is requesting authorization.
client_secretThe secret value for the client assigned when registering the application.
connectedShows whether the class is connected.
cookie_countThe number of records in the Cookie arrays.
cookie_domainThe domain of a received cookie.
cookie_expirationThis property contains an expiration time for the cookie (if provided by the server).
cookie_nameThe name of the cookie.
cookie_pathThis property contains a path name to limit the cookie to (if provided by the server).
cookie_secureThis property contains the security flag of the received cookie.
cookie_valueThis property contains the value of the cookie.
firewall_auto_detectThis property tells the class whether or not to automatically detect and use firewall system settings, if available.
firewall_typeThis property determines the type of firewall to connect through.
firewall_hostThis property contains the name or IP address of firewall (optional).
firewall_passwordThis property contains a password if authentication is to be used when connecting through the firewall.
firewall_portThis property contains the TCP port for the firewall Host .
firewall_userThis property contains a user name if authentication is to be used connecting through a firewall.
follow_redirectsDetermines what happens when the server issues a redirect.
grant_typeThe OAuth grant type used to acquire an OAuth access token.
idleThe current status of the class.
local_hostThe name of the local host or user-assigned IP interface through which connections are initiated or accepted.
other_headersOther headers as determined by the user (optional).
param_countThe number of records in the Param arrays.
param_nameThis property contains the name of the parameter to be used in the request or returned in the response.
param_valueThis property contains the value of the parameter to be used in the request or returned in the response.
proxy_auth_schemeThis property is used to tell the class which type of authorization to perform when connecting to the proxy.
proxy_auto_detectThis property tells the class whether or not to automatically detect and use proxy system settings, if available.
proxy_passwordThis property contains a password if authentication is to be used for the proxy.
proxy_portThis property contains the TCP port for the proxy Server (default 80).
proxy_serverIf a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.
proxy_sslThis property determines when to use SSL for the connection to the proxy.
proxy_userThis property contains a user name, if authentication is to be used for the proxy.
refresh_tokenSpecifies the refresh token received from or sent to the authorization server.
return_urlThe URL where the user (browser) returns after authenticating.
server_auth_urlThe URL of the authorization server.
server_token_urlThe URL used to obtain the access token.
ssl_accept_server_cert_encodedThe certificate (PEM/base64 encoded).
ssl_cert_encodedThe certificate (PEM/base64 encoded).
ssl_cert_storeThe name of the certificate store for the client certificate.
ssl_cert_store_passwordIf the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
ssl_cert_store_typeThe type of certificate store for this certificate.
ssl_cert_subjectThe subject of the certificate used for client authentication.
ssl_server_cert_encodedThe certificate (PEM/base64 encoded).
timeoutA timeout for the class.
transferred_dataThe contents of the last response from the server.
transferred_headersThe full set of headers as received from the server.
web_server_portThe local port on which the embedded web server listens.
web_server_ssl_cert_storeThe name of the certificate store for the client certificate.
web_server_ssl_cert_store_passwordIf the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
web_server_ssl_cert_store_typeThe type of certificate store for this certificate.
web_server_ssl_cert_subjectThe subject of the certificate used for client authentication.
web_server_ssl_enabledWhether the web server requires SSL connections.

Method List


The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

add_cookieAdds a cookie and the corresponding value to the outgoing request headers.
add_paramAdds a name-value pair to the query string parameters of outgoing request.
configSets or retrieves a configuration setting.
do_eventsProcesses events from the internal message queue.
get_authorizationGets the authorization string required to access the protected resource.
get_authorization_urlBuilds and returns the URL to which the user should be re-directed for authorization.
interruptInterrupt the current method.
resetReset the class.
start_web_serverStarts the embedded web server.
stop_web_serverStops the embedded web server.

Event List


The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

on_connectedFired immediately after a connection completes (or fails).
on_connection_statusFired to indicate changes in connection state.
on_disconnectedFired when a connection is closed.
on_end_transferFired when a document finishes transferring.
on_errorInformation about errors during data delivery.
on_headerFired every time a header line comes in.
on_launch_browserFires before launching a browser with the authorization URL.
on_logFires once for each log message.
on_redirectFired when a redirection is received from the server.
on_return_urlFires when the user is redirected to the embedded web server.
on_set_cookieFired for every cookie set by the server.
on_ssl_server_authenticationFired after the server presents its certificate to the client.
on_ssl_statusShows the progress of the secure connection.
on_start_transferFired when a document starts transferring (after the headers).
on_statusFired when the HTTP status line is received from the server.
on_transferFired while a document transfers (delivers document).

Configuration Settings


The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.

AccessTokenExpThe lifetime of the access token.
AuthorizationTokenTypeThe type of access token returned.
AuthorizationURLSpecifies the URL used for authorization.
BrowserResponseTimeoutSpecifies the amount of time to wait for a response from the browser.
CodeChallengeMethodThe code challenge method to use (if any).
DeviceGrantTypeThe grant type to be used when the ClientProfile is set to cfDevice.
DeviceUserCodeThe device's user code when the ClientProfile is set to cfDevice.
FormVarCountSpecifies the number of additional form variables to include in the request.
FormVarName[i]Specifies the form variable name at the specified index.
FormVarValue[i]Specifies the form variable value at the specified index.
IncludeEmptyRedirectURIWhether an empty redirect_uri parameter is included in requests.
JWTAudienceThe JWT audience when the ClientProfile is set to cfJWT.
JWTCertStoreThe name of the certificate store for the JWT signing certificate.
JWTCertStorePasswordThe JWT signing certificate password.
JWTCertStoreTypeThe type of certificate store.
JWTCertSubjectThe JWT signing certificate subject.
JWTIssuerThe JWT issuer when the ClientProfile is set to cfJWT.
JWTJSONKeyThe file path of the JWT JSON Key, or a string containing its content.
JWTServiceProviderThe service provider to which authentication is being performed.
JWTSignatureAlgorithmThe signature algorithm used to sign the JWT.
JWTSubjectThe subject field in the JWT.
JWTValidityTimeThe amount of time in seconds for which the assertion in the JWT is valid.
Microsoft365AdminConsentErrorThe error message returned when the admin denies consent to the scopes.
Microsoft365AdminConsentErrorDescThe error description returned when the admin denies consent to the scopes.
Microsoft365AdminConsentTenantThe tenant ID returned after the admin consents to the scopes.
Office365ServiceAPIVersionThe API version of the Office 365 service being discovered.
Office365ServiceCapabilityThe API capability of the Office 365 service being discovered.
Office365ServiceEndpointThe Office 365 endpoint for the service that matches the criteria specified.
PasswordGrantUsernameThe Username field when using the password grant type.
PollingIntervalThe interval in seconds between polling requests when the device client type is used.
ReUseWebServerDetermines if the same server instance is used between requests.
TokenInfoFieldCountThe number of fields in the tokeninfo service response.
TokenInfoFieldName[i]The name of the tokeninfo service response field.
TokenInfoFieldValue[i]The value of the tokeninfo service response field.
TokenInfoURLThe URL of the tokeninfo service.
ValidateTokenValidates the specified access token with a tokeninfo service.
WebServerFailedResponseThe custom response that will be displayed to the user if authentication failed.
WebServerHostThe hostname used by the embedded web server displayed in the ReturnURL.
WebServerResponseThe custom response that will be displayed to the user.
AcceptEncodingUsed to tell the server which types of content encodings the client supports.
AllowHTTPCompressionThis property enables HTTP compression for receiving data.
AllowHTTPFallbackWhether HTTP/2 connections are permitted to fallback to HTTP/1.1.
AppendWhether to append data to LocalFile.
AuthorizationThe Authorization string to be sent to the server.
BytesTransferredContains the number of bytes transferred in the response data.
ChunkSizeSpecifies the chunk size in bytes when using chunked encoding.
CompressHTTPRequestSet to true to compress the body of a PUT or POST request.
EncodeURLIf set to true the URL will be encoded by the class.
FollowRedirectsDetermines what happens when the server issues a redirect.
GetOn302RedirectIf set to true the class will perform a GET on the new location.
HTTP2HeadersWithoutIndexingHTTP2 headers that should not update the dynamic header table with incremental indexing.
HTTPVersionThe version of HTTP used by the class.
IfModifiedSinceA date determining the maximum age of the desired document.
KeepAliveDetermines whether the HTTP connection is closed after completion of the request.
KerberosSPNThe Service Principal Name for the Kerberos Domain Controller.
LogLevelThe level of detail that is logged.
MaxRedirectAttemptsLimits the number of redirects that are followed in a request.
NegotiatedHTTPVersionThe negotiated HTTP version.
OtherHeadersOther headers as determined by the user (optional).
ProxyAuthorizationThe authorization string to be sent to the proxy server.
ProxyAuthSchemeThe authorization scheme to be used for the proxy.
ProxyPasswordA password if authentication is to be used for the proxy.
ProxyPortPort for the proxy server (default 80).
ProxyServerName or IP address of a proxy server (optional).
ProxyUserA user name if authentication is to be used for the proxy.
SentHeadersThe full set of headers as sent by the client.
StatusLineThe first line of the last response from the server.
TransferredDataThe contents of the last response from the server.
TransferredDataLimitThe maximum number of incoming bytes to be stored by the class.
TransferredHeadersThe full set of headers as received from the server.
TransferredRequestThe full request as sent by the client.
UseChunkedEncodingEnables or Disables HTTP chunked encoding for transfers.
UseIDNsWhether to encode hostnames to internationalized domain names.
UsePlatformHTTPClientWhether or not to use the platform HTTP client.
UserAgentInformation about the user agent (browser).
ConnectionTimeoutSets a separate timeout value for establishing a connection.
FirewallAutoDetectTells the class whether or not to automatically detect and use firewall system settings, if available.
FirewallHostName or IP address of firewall (optional).
FirewallPasswordPassword to be used if authentication is to be used when connecting through the firewall.
FirewallPortThe TCP port for the FirewallHost;.
FirewallTypeDetermines the type of firewall to connect through.
FirewallUserA user name if authentication is to be used connecting through a firewall.
KeepAliveIntervalThe retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received.
KeepAliveTimeThe inactivity time in milliseconds before a TCP keep-alive packet is sent.
LingerWhen set to True, connections are terminated gracefully.
LingerTimeTime in seconds to have the connection linger.
LocalHostThe name of the local host through which connections are initiated or accepted.
LocalPortThe port in the local host where the class binds.
MaxLineLengthThe maximum amount of data to accumulate when no EOL is found.
MaxTransferRateThe transfer rate limit in bytes per second.
ProxyExceptionsListA semicolon separated list of hosts and IPs to bypass when using a proxy.
TCPKeepAliveDetermines whether or not the keep alive socket option is enabled.
TcpNoDelayWhether or not to delay when sending packets.
UseIPv6Whether to use IPv6.
LogSSLPacketsControls whether SSL packets are logged when using the internal security API.
OpenSSLCADirThe path to a directory containing CA certificates.
OpenSSLCAFileName of the file containing the list of CA's trusted by your application.
OpenSSLCipherListA string that controls the ciphers to be used by SSL.
OpenSSLPrngSeedDataThe data to seed the pseudo random number generator (PRNG).
ReuseSSLSessionDetermines if the SSL session is reused.
SSLCACertFilePathsThe paths to CA certificate files on Unix/Linux.
SSLCACertsA newline separated list of CA certificate to use during SSL client authentication.
SSLCheckCRLWhether to check the Certificate Revocation List for the server certificate.
SSLCipherStrengthThe minimum cipher strength used for bulk encryption.
SSLEnabledCipherSuitesThe cipher suite to be used in an SSL negotiation.
SSLEnabledProtocolsUsed to enable/disable the supported security protocols.
SSLEnableRenegotiationWhether the renegotiation_info SSL extension is supported.
SSLIncludeCertChainWhether the entire certificate chain is included in the SSLServerAuthentication event.
SSLNegotiatedCipherReturns the negotiated ciphersuite.
SSLNegotiatedCipherStrengthReturns the negotiated ciphersuite strength.
SSLNegotiatedCipherSuiteReturns the negotiated ciphersuite.
SSLNegotiatedKeyExchangeReturns the negotiated key exchange algorithm.
SSLNegotiatedKeyExchangeStrengthReturns the negotiated key exchange algorithm strength.
SSLNegotiatedVersionReturns the negotiated protocol version.
SSLProviderThe name of the security provider to use.
SSLSecurityFlagsFlags that control certificate verification.
SSLServerCACertsA newline separated list of CA certificate to use during SSL server certificate validation.
TLS12SignatureAlgorithmsDefines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True.
TLS12SupportedGroupsThe supported groups for ECC.
TLS13KeyShareGroupsThe groups for which to pregenerate key shares.
TLS13SignatureAlgorithmsThe allowed certificate signature algorithms.
TLS13SupportedGroupsThe supported groups for (EC)DHE key exchange.
AbsoluteTimeoutDetermines whether timeouts are inactivity timeouts or absolute timeouts.
FirewallDataUsed to send extra data to the firewall.
InBufferSizeThe size in bytes of the incoming queue of the socket.
OutBufferSizeThe size in bytes of the outgoing queue of the socket.
BuildInfoInformation about the product's build.
CodePageThe system code page used for Unicode to Multibyte translations.
LicenseInfoInformation about the current license.
ProcessIdleEventsWhether the class uses its internal event loop to process events when the main thread is idle.
SelectWaitMillisThe length of time in milliseconds the class will wait when DoEvents is called if there are no events to process.
UseInternalSecurityAPITells the class whether or not to use the system security libraries or an internal implementation.

Copyright (c) 2022 /n software inc. - All rights reserved.
IPWorks 2020 Python Edition - Version 20.0 [Build 8307]