pelle / clauth Goto Github PK
View Code? Open in Web Editor NEWAuthentication library for Clojure and Ring based on OAuth2
Home Page: http://pelle.github.com/clauth
clauth's People
Contributors
Stargazers
Watchers
Forkers
lbt05 ryfow oloed rplevy-draker brunchboy goodwink robotarmy iterion mlynchsd bruce sparkhom colinger ninjudd erichong argvader danielsz tangrammer sarwarbhuiyan bernole bensu dm04806 vonwenm gtdev87 christophwong johncowie zzwu tranchis nicheware gstamp clojurians-org witnss badalhelpshift angheneclauth's Issues
OpenID Connect + JSON Web Token support
Looking for a perspective from the maintainer - Is support for the OpenID Connect standard for authentication (built on top of OAuth 2.0), and loosely related support for JSON web tokens (JWT, JWS, JWE) something interesting for Clauth to support going forward? Would pull requests be interesting, or does this belong in a separate library in your opinion?
demo login not working
9a66cb1 appears to have broken the demo login form. I can login with demo/password before that commit, but not after it.
I'll try to see if I can figure out what happened, but I'm a n00b and thought I'd annotate the problem here in case I'm unable to figure it out.
Possible bug
In the function req->token the single arity signature seems to be recursively calling itself
https://github.com/pelle/clauth/blob/master/src/clauth/middleware.clj#L38.
I think this is supposed to be calling into the 2 arity version. eg:
(defn req->token
([req]
(req->token req token/find-valid-token))
([req finder]
(if-let [token (req->token-string req)]
(finder token))))Grant type password should not require client_secret
It seems to me that client_secret should not be required with grant_type=password, right?
As explained here (http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#others):
Note, the client secret is not included here under the assumption that most of the use cases for password grants will be mobile or desktop apps, where the secret cannot be protected.
I'm happy to jump in and figure out how to modify clauth to not require the client_secret in this case if this sounds correct to you @pelle.
ClassCastException in csrf-protect
When using the clauth login-handler I sometimes get this exception. Mostly when I open with a fresh browser a protected route that redirects to login.
Exception:
java.lang.ClassCastException
java.lang.String cannot be cast to clojure.lang.Associative
RT.java:702 clojure.lang.RT.assoc
core.clj:187 clojure.core/assoc
middleware.clj:17 clauth.middleware/assoc-session
middleware.clj:135 clauth.middleware/csrf-protect![fn]
routes.clj:68 myapp.routes/fn
core.clj:93 compojure.core/make-route[fn]
core.clj:39 compojure.core/if-route[fn]
core.clj:24 compojure.core/if-method[fn]
core.clj:106 compojure.core/routing[fn]
core.clj:2443 clojure.core/some
core.clj:106 compojure.core/routing
RestFn.java:139 clojure.lang.RestFn.applyTo
core.clj:619 clojure.core/apply
core.clj:111 compojure.core/routes[fn]
keyword_params.clj:27 ring.middleware.keyword-params/wrap-keyword-params[fn]
nested_params.clj:65 ring.middleware.nested-params/wrap-nested-params[fn]
params.clj:55 ring.middleware.params/wrap-params[fn]
multipart_params.clj:103 ring.middleware.multipart-params/wrap-multipart-params[fn]
flash.clj:14 ring.middleware.flash/wrap-flash[fn]
session.clj:43 ring.middleware.session/wrap-session[fn]
cookies.clj:160 ring.middleware.cookies/wrap-cookies[fn]
middleware.clj:12 hiccup.middleware/wrap-base-url[fn]
keyword_params.clj:27 ring.middleware.keyword-params/wrap-keyword-params[fn]
json.clj:42 ring.middleware.json/wrap-json-response[fn]
Var.java:415 clojure.lang.Var.invoke
reload.clj:18 ring.middleware.reload/wrap-reload[fn]
stacktrace.clj:17 ring.middleware.stacktrace/wrap-stacktrace-log[fn]
stacktrace.clj:80 ring.middleware.stacktrace/wrap-stacktrace-web[fn]
jetty.clj:18 ring.adapter.jetty/proxy-handler[fn]
(Unknown Source) ring.adapter.jetty.proxy$org.eclipse.jetty.server.handler.AbstractHandler$0.handle
HandlerWrapper.java:116 org.eclipse.jetty.server.handler.HandlerWrapper.handle
Server.java:363 org.eclipse.jetty.server.Server.handle
AbstractHttpConnection.java:483 org.eclipse.jetty.server.AbstractHttpConnection.handleRequest
AbstractHttpConnection.java:920 org.eclipse.jetty.server.AbstractHttpConnection.headerComplete
AbstractHttpConnection.java:982 org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete
HttpParser.java:635 org.eclipse.jetty.http.HttpParser.parseNext
HttpParser.java:235 org.eclipse.jetty.http.HttpParser.parseAvailable
AsyncHttpConnection.java:82 org.eclipse.jetty.server.AsyncHttpConnection.handle
SelectChannelEndPoint.java:628 org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle
SelectChannelEndPoint.java:52 org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run
QueuedThreadPool.java:608 org.eclipse.jetty.util.thread.QueuedThreadPool.runJob
QueuedThreadPool.java:543 org.eclipse.jetty.util.thread.QueuedThreadPool$3.run
Thread.java:724 java.lang.Thread.run
Code:
(defroutes main-routes
(GET "/" request ((clmw/wrap-bearer-token index-page) request))
(ANY "/oauth2/token" request ((clep/token-handler) request))
(GET "/oauth2/authorization" request ((clep/authorization-handler) request))
(ANY "/login" {client :client, :as request} ((clep/login-handler {:login-form login-page, :client client}) request)))
(def app
(do
(reset! token-store (create-couchdb-store "clauth_token"))
(reset! auth-code-store (create-couchdb-store "clauth_authcode"))
(reset! client-store (create-couchdb-store "clauth_client"))
(reset! user-store (create-couchdb-store "clauth_user"))
(println "Starting application..")
(let [client (or (first (clients))
(register-client "MyApp" "http://localhost:3000"))
user (or (first (clauth.user/users))
(clauth.user/register-user "demo" "password"))]
(-> (handler/site main-routes {:session {:store (redis-store redis-pool redis-spec {:prefix "myapp.session"})}, :client client })
(wrap-base-url)
(wrap-keyword-params)
;(wrap-params)
(wrap-json-response)))))
Question about timestamp / nonce / replay-protection
This is not an issue per se, just a question really. I am reading the code and trying to figure out if this implementation of OAuth2 provides protection from replay attacks, or if additional steps need to be taken when using it.
Grepping for "nonce", I don't find anything, but perhaps you just used different language. I'm poring over the "Expiry" parts in particular to figure this out. Any insights into this would be very much appreciated,.
compojure code example
Is there are more demo apps anywhere?
Issue in readme
The readme refers to a function called register-app...
(register-app name url)
... however this function does not appear in the source code.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.