Introduction
In my previous iGoogle Gadget (featuring UWL,BPM,JSON & OAuth) - Part 1 I described how to retrieve BPM Tasks from the Universal Worklist and present the data as JSON. This blog shows how to create the OAuth Provider and in part 3 we will create the iGoogle Gadget as the OAuth Consumer application which will display the data from the Tasks from the Provider in our own iGoogle page.</p>
OAuth
OAuth is an open protocol to allow secure API authorization in a simple and standard method from web, desktop, and mobile applications.
OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party
access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.
For the application used in this blog series SAP NetWeaver will act as the OAuth Provider and iGoogle is the OAuth Consumer. The OAuth Authentication flow between the end user, consumer and provider is displayed in the following diagram:
In the diagram above the OAuth Authentication flow is done in ten steps:
- OAuth Provider grants Request Token
- Redirect to Service Provider Login
- User Grants Access
- Redirect User to Consumer
- Redirect to Consumer
- iGoogle Request Access Token
- OAuth Provider Grants Access Token
- Access protected Resource
- Return protected Resource
For info about OAuth i can recommend the slides by Leah Culver at slideshare and the documentation at http://oauth.net/
OAuth Provider
Now let's create an OAuth Provider which runs on NetWeaver CE 7.2. To do this i used the example provider which is freely available at Google Code [http://code.google.com/p/oauth/ | http://code.google.com/p/oauth/]
You can download example code for almost every platform but offcourse we use the Java version and more specific the web provider version. This web application consists of:
- SampleOAuthProvider (Core Java class for the OAuth Provider)
- Servlets (RequestTokenServlet, AuthorizationServlet and AccessTokenServlet the 3 servlets which the consumer communicates with)
- JSP files (JSP pages for authorization)
You can download the necessary files at:
http://oauth.googlecode.com/svn/code/java/example/oauth-provider/src/ and
http://oauth.googlecode.com/svn/code/java/example/oauth-provider/web/
We will continue with the same Web Module Project as used in iGoogle Gadget (featuring UWL,BPM,JSON & OAuth) - Part 1 of this blog and extend this web application with OAuth functionality.
From the oauth-providerweb directory copy all files and directories to the WebContent directory. The current web.xml can be overwritten because we don't need the Test Servlet anymore.
*oauth-providersrc
et *directory copy all files and directories to the source directory of the project.
First we will refactor the SampleOAuthProvider class to UWLTaskOAuthProvider. Right-click on the file name and select Refactor-> Rename. Fill in the new name and click Finish.
In the same directory as the UWLTaskOAuthProvider you will find a resource file: provider.properties. This files is used by the OAuth provider to hande multiple consumer apps. We will add the specific properties needed for our iGoogle Gadget:
www.google.com=mySecret
www.google.com.description=iGoogle
www.google.com.callbackURL=http://oauth.gmodules.com/gadgets/oauthcallback
<br />MIIDBDCCAm2gAwIBAgIJAK8dGINfkSTHMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV
<br />BAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzETMBEG
<br />A1UEChMKR29vZ2xlIEluYzEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5jb20wHhcNMDgx
<br />MDA4MDEwODMyWhcNMDkxMDA4MDEwODMyWjBgMQswCQYDVQQGEwJVUzELMAkGA1UE
<br />CBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJ
<br />bmMxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
<br />ADCBiQKBgQDQUV7ukIfIixbokHONGMW9ed0E9X4m99I8upPQp3iAtqIvWs7XCbA
<br />bGqzQH1qX9Y00hrQ5RRQj8OI3tRiQs/KfzGWOdvLpIk5oXpdT58tg4FlYh5fbhIo
<br />VoVn4GvtSjKmJFsoM8NRtEJHL1aWddXzkQjEsNcBXwQvfDb0YnbQIDAQABo4HF
<br />MIHCMB0GA1UdDgQWBBSm/h1pNY91bNfW08ac9riYzs3cxzCBkgYDVR0jBIGKMIGH
<br />gBSm/h1pNY91bNfW08ac9riYzs3cx6FkpGIwYDELMAkGA1UEBhMCVVMxCzAJBgNV
<br />BAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUg
<br />SW5jMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbYIJAK8dGINfkSTHMAwGA1UdEwQF
<br />MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAYpHTr3vQNsHHHUm4MkYcDB20a5KvcFoX
<br />gCcYtmdyd8rh/FKeZm2me7eQCXgBfJqQ4dvVLJ4LgIQiU3R5ZDe0WbW7rJ3M9ADQ
<br />FyQoRJP8OIMYW3BoMi0Z4E730KSLRh6kfLq4rK6vw7lkH9oynaHHWZSJLDAp17cP
<br />j6znWkN9/g=
<br />
The public RSA-SHA1 key from Google is added because iGoogle uses the RSA_SHA1 signature method for signing the requests. Useally the provider should provide such a key, but to make it easy we use the default one provided by Google.
This way we don't have to do a manual registration of our Gadget with Google. See for more info http://code.google.com/intl/nl/apis/gadgets/docs/oauth.html
Summary
What we created is a simple OAuth Provider, which stores the username/password in memory (HashSet in the UWLTaskOAuthProvider). So after restarting/deploying the web application again these value are gone.
A nicer option would be to persist these values in a database for example.
The main functionality of the OAuth Provider consists of the following resources:
- UWLTaskOAuthProvider.java (central class for the OAuth Provider)
- RequestTokenServlet.java (servlet used for getting the Request Token see step 1 in the OAuth flow diagram)
- AuthorizationServlet.java (servlet used for Authorization see step 4 in the OAuth flow diagram)
- AccessTokenServlet.java (servlet used for getting the Access Token see step 7 in the OAuth flow diagram)
- UWLTasksServlet.java (servlet for retrieving the UWL Tasks see step 9 in the OAuth flow diagram)
In the final blog the iGoogle Gadget will be created which will act as the OAuth Consumer to show the Tasks to the user in the iGoogle page.
