pelle / clauth Goto Github PK
View Code? Open in Web Editor NEWAuthentication library for Clojure and Ring based on OAuth2
Home Page: http://pelle.github.com/clauth
Authentication library for Clojure and Ring based on OAuth2
Home Page: http://pelle.github.com/clauth
Looking for a perspective from the maintainer - Is support for the OpenID Connect standard for authentication (built on top of OAuth 2.0), and loosely related support for JSON web tokens (JWT, JWS, JWE) something interesting for Clauth to support going forward? Would pull requests be interesting, or does this belong in a separate library in your opinion?
9a66cb1 appears to have broken the demo login form. I can login with demo/password before that commit, but not after it.
I'll try to see if I can figure out what happened, but I'm a n00b and thought I'd annotate the problem here in case I'm unable to figure it out.
In the function req->token
the single arity signature seems to be recursively calling itself
https://github.com/pelle/clauth/blob/master/src/clauth/middleware.clj#L38.
I think this is supposed to be calling into the 2 arity version. eg:
(defn req->token
([req]
(req->token req token/find-valid-token))
([req finder]
(if-let [token (req->token-string req)]
(finder token))))
It seems to me that client_secret
should not be required with grant_type=password
, right?
As explained here (http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#others):
Note, the client secret is not included here under the assumption that most of the use cases for password grants will be mobile or desktop apps, where the secret cannot be protected.
I'm happy to jump in and figure out how to modify clauth to not require the client_secret
in this case if this sounds correct to you @pelle.
When using the clauth login-handler I sometimes get this exception. Mostly when I open with a fresh browser a protected route that redirects to login.
Exception:
java.lang.ClassCastException
java.lang.String cannot be cast to clojure.lang.Associative
RT.java:702 clojure.lang.RT.assoc
core.clj:187 clojure.core/assoc
middleware.clj:17 clauth.middleware/assoc-session
middleware.clj:135 clauth.middleware/csrf-protect![fn]
routes.clj:68 myapp.routes/fn
core.clj:93 compojure.core/make-route[fn]
core.clj:39 compojure.core/if-route[fn]
core.clj:24 compojure.core/if-method[fn]
core.clj:106 compojure.core/routing[fn]
core.clj:2443 clojure.core/some
core.clj:106 compojure.core/routing
RestFn.java:139 clojure.lang.RestFn.applyTo
core.clj:619 clojure.core/apply
core.clj:111 compojure.core/routes[fn]
keyword_params.clj:27 ring.middleware.keyword-params/wrap-keyword-params[fn]
nested_params.clj:65 ring.middleware.nested-params/wrap-nested-params[fn]
params.clj:55 ring.middleware.params/wrap-params[fn]
multipart_params.clj:103 ring.middleware.multipart-params/wrap-multipart-params[fn]
flash.clj:14 ring.middleware.flash/wrap-flash[fn]
session.clj:43 ring.middleware.session/wrap-session[fn]
cookies.clj:160 ring.middleware.cookies/wrap-cookies[fn]
middleware.clj:12 hiccup.middleware/wrap-base-url[fn]
keyword_params.clj:27 ring.middleware.keyword-params/wrap-keyword-params[fn]
json.clj:42 ring.middleware.json/wrap-json-response[fn]
Var.java:415 clojure.lang.Var.invoke
reload.clj:18 ring.middleware.reload/wrap-reload[fn]
stacktrace.clj:17 ring.middleware.stacktrace/wrap-stacktrace-log[fn]
stacktrace.clj:80 ring.middleware.stacktrace/wrap-stacktrace-web[fn]
jetty.clj:18 ring.adapter.jetty/proxy-handler[fn]
(Unknown Source) ring.adapter.jetty.proxy$org.eclipse.jetty.server.handler.AbstractHandler$0.handle
HandlerWrapper.java:116 org.eclipse.jetty.server.handler.HandlerWrapper.handle
Server.java:363 org.eclipse.jetty.server.Server.handle
AbstractHttpConnection.java:483 org.eclipse.jetty.server.AbstractHttpConnection.handleRequest
AbstractHttpConnection.java:920 org.eclipse.jetty.server.AbstractHttpConnection.headerComplete
AbstractHttpConnection.java:982 org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete
HttpParser.java:635 org.eclipse.jetty.http.HttpParser.parseNext
HttpParser.java:235 org.eclipse.jetty.http.HttpParser.parseAvailable
AsyncHttpConnection.java:82 org.eclipse.jetty.server.AsyncHttpConnection.handle
SelectChannelEndPoint.java:628 org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle
SelectChannelEndPoint.java:52 org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run
QueuedThreadPool.java:608 org.eclipse.jetty.util.thread.QueuedThreadPool.runJob
QueuedThreadPool.java:543 org.eclipse.jetty.util.thread.QueuedThreadPool$3.run
Thread.java:724 java.lang.Thread.run
Code:
(defroutes main-routes
(GET "/" request ((clmw/wrap-bearer-token index-page) request))
(ANY "/oauth2/token" request ((clep/token-handler) request))
(GET "/oauth2/authorization" request ((clep/authorization-handler) request))
(ANY "/login" {client :client, :as request} ((clep/login-handler {:login-form login-page, :client client}) request)))
(def app
(do
(reset! token-store (create-couchdb-store "clauth_token"))
(reset! auth-code-store (create-couchdb-store "clauth_authcode"))
(reset! client-store (create-couchdb-store "clauth_client"))
(reset! user-store (create-couchdb-store "clauth_user"))
(println "Starting application..")
(let [client (or (first (clients))
(register-client "MyApp" "http://localhost:3000"))
user (or (first (clauth.user/users))
(clauth.user/register-user "demo" "password"))]
(-> (handler/site main-routes {:session {:store (redis-store redis-pool redis-spec {:prefix "myapp.session"})}, :client client })
(wrap-base-url)
(wrap-keyword-params)
;(wrap-params)
(wrap-json-response)))))
This is not an issue per se, just a question really. I am reading the code and trying to figure out if this implementation of OAuth2 provides protection from replay attacks, or if additional steps need to be taken when using it.
Grepping for "nonce", I don't find anything, but perhaps you just used different language. I'm poring over the "Expiry" parts in particular to figure this out. Any insights into this would be very much appreciated,.
Is there are more demo apps anywhere?
The readme refers to a function called register-app
...
(register-app name url)
... however this function does not appear in the source code.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.