Discuss this help topic in SecureBlackbox Forum

Customize OAuth login and confirmation forms

Some OAuth 2.0 scenarios incorporate user interaction through various web forms shown in web browser. For instance, a web form may be used to ask the end-user to enter login credentials. By default, TElHTTPSServer uses built-in forms which may be customized.

Use your server's AuthFormTemplate property to assign a custom login form. The default form is represented by the following code

<html>
    <head>
        <title>SecureBlackbox HTTP Login Page</title>
    </head>
    <body>
        <center>
            <h1>Enter login credentials</h2>
            <form action="%URL%" method="POST">
            Login:<br/><input type="text" name="%LOGIN%"/><br/>
            Password:<br/><input type="password" name="%PASSWORD%"/><br/>
            <input type="hidden" name="%CSRF%" value="%CSRF_TOKEN%"/>
            <input type="submit" value="Login"/>
            </form>
        </center>
    </body>
</html>

where

• %URL% is replaced by the login URL at runtime;
• %LOGIN% and %PASSWORD% are replaced with input names which can be adjusted using TElHTTPSServer.AuthFormLoginFieldName and TElHTTPSServer.AuthFormPasswordFieldName properties;
• %CSRF% and %CSRF_TOKEN% are replaced with CSRF protection token if UseCSRFAttacksProtection property is turned on.

These parameters are replaced by actual values at runtime.

TElHTTPSServer.ConfirmPageTemplate property can be used to customize login confirmation page. The default code is the following

<html>
    <head><title>SecureBlackbox OAuth2 Confirmation Page</title></head>
    <body>
        <center>
            <h1>An application would like to connect to your account!</h1>
            <h2>The application %APPNAME% would like the ability to access:</h2>
            <h3>%SCOPE%</h3>
            <button type="button" id="yes">Yes</button><button type="button" id="no">No</button>
        </center>
        <script>
            document.getElementById(yes).onclick = function() {
                window.location = "%ALLOW_URL%";
            };
            document.getElementById(no).onclick = function() {
                window.location = "%DENY_URL%";
            };
        </script>
    </body>
</html>

where

• %APPNAME% is replaced with the application name at runtime;
• %SCOPE% is replaced with the requested scope;
• %ALLOW_URL% and %DENY_URL% are replaced with special URLs, generated by the server.

How To articles about server-side OAuth questions

Discuss this help topic in SecureBlackbox Forum