Details a package supporting creation of integrations with external services that use an OAuth flow for authentication and authorization.
Umbraco Authorized Services is an Umbraco package designed to reduce the effort needed to integrate third-party services into Umbraco solutions. Many Software as a Service (SaaS) offerings require an OAuth or API key based flow for authentication and authorization. Working with them requires a fair bit of plumbing code to handle creating an authorized connection. This is necessary before the developer working with the service can get to using the provided API to implement the business requirements.
There are similarities to the flow that needs to be implemented for different services. Steps include:
Redirecting to an authentication endpoint.
Handling the response including an authentication code and exchanging it for an access token.
Securely storing the token.
Including the token in API requests.
Serializing requests and deserializing the API responses.
Handling cases where the token has expired and obtaining a new one via a refresh token.
With API key based flows, the process is a little simpler. But you still have to consider secure storage of the key, providing it correctly in API calls and handling serialization tasks.
There are also differences across the request and response structures and variations in the details of the flow itself.
The package tries to implement a single, best practice implementation of working with OAuth. For particular providers the specific flow required can be customized via configuration or code.
The primary use case for this package is when working with services that offer an OAuth2/OAuth1 default authentication and authorization flow against an "app". The developer will need to create this "app" with the service. By doing this, for OAuth1 information such as "client ID"/"consumer key" and "client secret"/"consumer secret" can be applied to the configuration.
When creating the app it is usually necessary to configure a call-back URL. You should use the following:
For OAuth2: /api/AuthorizedServiceResponse/HandleOAuth2IdentityResponse
For OAuth1: /api/AuthorizedServiceResponse/HandleOAuth1IdentityResponse
In addition, the package supports integration with OAuth1 or Api key based authentication and authorization services.
For the solution developer, the Umbraco Authorized Services offers two primary features.
Firstly there's a tree available in the Settings section of the backoffice, called Authorized Services. The tree shows the list of services based on the details provided in configuration.
Each tree entry has a management screen where an administrator can authenticate with an app that has been setup with the service. The status of each service is shown on this screen. When authorized, the authentication and authorization flow has been completed and an access token stored.
A service can be configured to allow the manual entry of access tokens/API keys manually using the CanManuallyProvideToken
or CanManuallyProvideApiKey
settings. If this is set to true
, a new section will be available for providing them.
Secondly, the developer has access to an interface - IAuthorizedServiceCaller
- that they can inject instances of and use to make authorized requests to the service's API.
Using a settings screen the administrator can review the service configuration.
Depending on the authentication method of the service,
OAuth1
OAuth2AuthorizationCode
(default)
OAuth2ClientCredentials
ApiKey
The interface provides methods for retrieving the value of the access tokens or API key - GetOAuth1Token()
, GetOAuth2Token()
and GetApiKey()
. These will return null if the token or key is not found. They will also return null if the service is not configured to use the authorization method related to these objects.
Below you can learn more about how to use the Umbraco Authorized Services package.
The package should be installed into your Umbraco solution from NuGet.
Services supported by the package will often offer an OAuth authentication and authorization flow against an "app" that the developer will need to create. This will make available information, including for example a "client ID" and "client secret", that will need to be applied in configuration.
When creating the app it will usually be necessary to configure a call back URL. You should use the following:
For OAuth2: /umbraco/api/AuthorizedServiceResponse/HandleOAuth2IdentityResponse
For OAuth1: /umbraco/api/AuthorizedServiceResponse/HandleOAuth1IdentityResponse
Details of services available need to be applied to the Umbraco web application's configuration.
An example of doing this through the appSettings.json
file is shown below. Other sources such as environment variables can also be used, as per standard .NET configuration.
TokenEncryptionKey
is a setting for an optional key used for token encryption when they are saved and retrieved from storage. It's only necessary and advisable when using the non-default AesSecretEncryptor
implementation.
Services
contains the a collection of details for all the configured services structured as a dictionary.
The dictionary key is the alias of the service, which must be unique across the service collection.
The following table describes each of the service elements. Where appropriate, an example is provided for one service provider, GitHub.
Not all values are required for all services. Those that are required are indicated below.
The JsonSerializer
configuration option was removed, as we will now use the CMS default based only on System.Text.Json
.
Types related to this feature are also removed: JsonSerializerOption
and JsonSerializerFactory
.
The options for JsonSerializer
are:
Default
- uses the Umbraco CMS default IJsonSerializer
.
JsonNet
- uses the JSON.Net serializer.
SystemTextJson
- uses the System.Text.Json serializer.
With UseProofKeyForCodeExchange
set to true
, a random code will be generated on the client and stored under the name code_verifier
. Using the SHA-256
algorithm it will be hashed under the name code_challenge
. When the authorization URL is generated, the code_challenge
will be sent to the OAuth Server, which will store it. The next request for access token will pass the code_verifier
as a header key. The OAuth Server will compare it with the previously sent code_challenge
.
With one or more service configured, it will be available from the items within a tree in the Settings section.
Selecting an item will show some details about the configured service, and it's authentication status.
If the service is not yet authorized, click the Authorize Service button to trigger the authentication and authorization flow. You will be directed to the service to login, and optionally choose an account. You will then be asked to agree to the permissions requested by the app. Finally you will be redirected back to the Umbraco backoffice. You should see confirmation that an access token has been retrieved and stored such that the service is now authorized. If provided, you can click the Verify Sample Request button to ensure that service's API can be called.
To make a call to an authorized service, you first need to obtain an instance of IAuthorizedServiceCaller
. This is registered with the dependency injection framework. As such it can be injected into a controller, view or service class where it needs to be used.
When making a request where all information is provided via the path and querystring, such as GET requests, the following method will be invoked:
The parameters for the request are as follows:
serviceAlias
- the alias of the service being invoked (e.g. github
).
path
- the path to the API method being invoked (e.g. /repos/Umbraco/Umbraco-CMS/contributors
).
httpMethod
- the HTTP method to use for the request (e.g. HttpMethod.Get
).
There is also a type parameter:
TResponse
- defines the strongly typed representation of the service method's response, that the raw response content will be deserialized into.
If you need to provide data in the request an overload is available. This can be used for POST
or PUT
requests that trigger the creation or update of a resource:
The additional parameter is:
requestContent
- the strongly typed request content, which will be serialized and provided in the request.
And additional type parameter:
TRequest
- defines the strongly typed representation of the requested content.
If you need to work with the raw JSON response, there are equivalent methods for both of these that omit the deserialization step:
Finally, there are convenience extension methods available for each of the common HTTP verbs. These allow you to simplify the requests and omit the HttpMethod
parameter, e.g.
Depending on the configured authentication method, there are some methods that can be used to retrieve the access token or the API key:
The following service providers have been tested against the package implementation. For each one the necessary configuration is listed.
As integrations with more providers are successfully completed, we plan to maintain the details for each here. Pull requests updating this list with verified integrations are welcome.
The Authorized Services package is open-source and we welcome Issues, suggestions for improvement, and PRs.
You can find the source code and issue tracker at GitHub.
The readme file there contains further information, expanding on the documentation you have read here. This will help anyone interested in understanding how it has been developed and how to contribute to the solution.
Element | Description | Required? | Example |
---|---|---|---|
DisplayName
Provides a friendly name for the service used for identification in the user interface.
Yes
CanManuallyProvideToken
Toggles an UI section in the backoffice for manually providing an access token.
No
CanManuallyProvideApiKey
Toggles an UI section in the backoffice for manually providing an API key.
No
CanExchangeToken
Specifies whether the access token can be exchanged with a long lived one.
No
ExchangeTokenProvision
The available options for exchanging an access token. Configuration includes: TokenHost
, RequestTokenPath
, TokenGrantType
, RequestRefreshTokenPath
, RefreshTokenGrantType
and ExchangeTokenWhenExpiresWithin
No
AuthenticationMethod
An enum value that controls the type of authentication. OAuth2AuthorizationCode
is the default value; other available options are OAuth2ClientCredentials
, OAuth1
and ApiKey
.
No
ClientCredentialsProvision
The available options for providing credentials in an OAuth2
flow: AuthHeader
or RequestBody
.
No
ApiHost
The host name for the service API that will be called to deliver business functionality.
Yes
https://api.github.com
IdentityHost
The host name for the service's authentication endpoint, used to initiate the authorization of the service by asking the user to login.
Yes
https://github.com
TokenHost
Some providers make available a separately hosted service for handling requests for access tokens. If that's the case, it can be provided here. If not provided, the value of IdentityHost
is used.
No
RequestIdentityPath
Used along with IdentityHost
to construct a URL that the user is redirected to when initiating the authorization of the service via the backoffice.
Yes
/login/oauth/authorize
AuthorizationUrlRequiresRedirectUrl
Some providers require a redirect URL to be provided with the authentication request. For others, instead it's necessary to configure this as part of the registered app. The default value if not provided via configuration is false
.
No
RequestTokenPath
Used, along with TokenHost
to construct a URL used for retrieving access tokens.
Yes
/login/oauth/access_token
RequestTokenFormat
An enum value that controls how the request to retrieve an access token is formatted. Options are Querystring
and FormUrlEncoded
. Querystring
is the default value.
No
RequestAuthorizationPath
OAuth1
flow path for building the authorization URL.
No
JsonSerializer
An enum value that defines the JSON serializer to use when creating requests and deserializing responses. Options are Default
and JsonNet
and SystemTextJson
as described below. If not provided, Default
is used.
No
AuthorizationRequestRequiresAuthorizationHeaderWithBasicToken
This flag indicates whether the basic token should be included in the request for an access token. If true
, a base64 encoding of <clientId>:<clientSecret>
will be added to the authorization header. Default is false
.
No
ApiKey
Provides the service's API key, if "AuthenticationMethod": "ApiKey"
No
ApiKeyProvision
Provides an object that dictates how the API key will be included with each request. This is configured using the Method
(pass the API key as QueryString
or HttpHeader
) and Key
(name of the key used to include the API key) properties. You can also provide additional parameters that will be included in the querystring or headers via the AdditionalParameters
dictionary.
No
ClientId
This value will be retrieved from the registered service app. For OAuth1
registered apps, the matching value is consumer key
.
Yes
ClientSecret
This value will be retrieved from the registered service app. As the name suggests, it should be kept secret and so is probably best not added directly to appSettings.json
and checked into source control. For OAuth1
registered apps, the matching value is consumer secret
.
Yes
Scopes
This value will be configured on the service app and retrieved from there. Best practice is to define only the set of permissions that the integration will need.
Yes
repo
IncludeScopesInAuthorizationRequest
Specifies whether the provided scopes should be included in the authorization request body.
No
UseProofKeyForCodeExchange
This flag will extend the OAuth flow with an additional security layer called Proof Key for Code Exchange (PKCE).
No
AccessTokenResponseKey
The expected key for retrieving an access token from a response. If not provided the default access_token
is assumed.
No
RefreshTokenResponseKey
The expected key for retrieving a refresh token from a response. If not provided the default refresh_token
is assumed.
No
ExpiresInResponseKey
The expected key for retrieving the datetime of token expiry from a response. If not provided the default expires_in
is assumed.
No
SampleRequest
An optional sample request can be provided, which can be used to check that an authorized service is functioning as expected from the backoffice.
No
/repos/Umbraco/Umbraco-CMS/contributors
RefreshAccessTokenWhenExpiresWithin
Specifies a time interval for expiration of access tokens.
No