[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[ https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17205773#comment-17205773 ] Michael Vorburger commented on FINERACT-1145: - https://github.com/apache/fineract/blob/develop/docs/deployment/oauth.md > OAuth Support documentation is missing > --- > > Key: FINERACT-1145 > URL: https://issues.apache.org/jira/browse/FINERACT-1145 > Project: Apache Fineract > Issue Type: Bug > Components: Security >Reporter: Michael Vorburger >Assignee: Michael Vorburger >Priority: Major > Fix For: 1.5.0 > > > We have a number of open issues related to apparent OAuth support in Fineract. > There is 0 documentation available on the Apache Fineract project [Git > repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or > [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth]. > (One can "deduct" that it can be activated by > {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?) > IMHO it would be valuable both for end users deployment, integrators and new > and old contributors to the project to have this feature documented. > So the goal of this issue is to have comprehensive documentation about > Fineract's OAuth support in > [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md]. > This feature may be (apparently?) actually currently be broken on the develop > branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't > someone from contribution documentation of how it should work. That > documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I > think that's broken due to FINERACT-755, so build 1.3.1 from git). > [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of > you like to contribute such documentation to this wonderful project? > PS: Once there is documentation, someone could then build an IT - that's > unlocking FINERACT-1143. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[ https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193887#comment-17193887 ] Michael Vorburger commented on FINERACT-1145: - https://github.com/apache/fineract/pull/1321 > OAuth Support documentation is missing > --- > > Key: FINERACT-1145 > URL: https://issues.apache.org/jira/browse/FINERACT-1145 > Project: Apache Fineract > Issue Type: Bug > Components: Security >Reporter: Michael Vorburger >Assignee: Michael Vorburger >Priority: Major > Fix For: 1.5.0 > > > We have a number of open issues related to apparent OAuth support in Fineract. > There is 0 documentation available on the Apache Fineract project [Git > repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or > [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth]. > (One can "deduct" that it can be activated by > {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?) > IMHO it would be valuable both for end users deployment, integrators and new > and old contributors to the project to have this feature documented. > So the goal of this issue is to have comprehensive documentation about > Fineract's OAuth support in > [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md]. > This feature may be (apparently?) actually currently be broken on the develop > branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't > someone from contribution documentation of how it should work. That > documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I > think that's broken due to FINERACT-755, so build 1.3.1 from git). > [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of > you like to contribute such documentation to this wonderful project? > PS: Once there is documentation, someone could then build an IT - that's > unlocking FINERACT-1143. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[ https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193883#comment-17193883 ] Michael Vorburger commented on FINERACT-1145: - So yeah this seems to actually work: {code:sh}curl --location --request GET 'https://localhost:8443/fineract-provider/api/v1/clients' \ --header 'Fineract-Platform-TenantId: default' \ --header 'Authorization: bearer RzfUyQ0wEnxxq4PyFCF1J-XGFCI'{code} > OAuth Support documentation is missing > --- > > Key: FINERACT-1145 > URL: https://issues.apache.org/jira/browse/FINERACT-1145 > Project: Apache Fineract > Issue Type: Bug > Components: Security >Reporter: Michael Vorburger >Priority: Major > Fix For: 1.5.0 > > > We have a number of open issues related to apparent OAuth support in Fineract. > There is 0 documentation available on the Apache Fineract project [Git > repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or > [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth]. > (One can "deduct" that it can be activated by > {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?) > IMHO it would be valuable both for end users deployment, integrators and new > and old contributors to the project to have this feature documented. > So the goal of this issue is to have comprehensive documentation about > Fineract's OAuth support in > [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md]. > This feature may be (apparently?) actually currently be broken on the develop > branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't > someone from contribution documentation of how it should work. That > documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I > think that's broken due to FINERACT-755, so build 1.3.1 from git). > [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of > you like to contribute such documentation to this wonderful project? > PS: Once there is documentation, someone could then build an IT - that's > unlocking FINERACT-1143. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[ https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193860#comment-17193860 ] Michael Vorburger commented on FINERACT-1145: - Due to FINERACT-629, we should use (and document) only the form where secrets aren't passed in the URL, like this: {code:sh} curl --location --request POST 'https://localhost:8443/fineract-provider/api/oauth/token' \ --header 'Fineract-Platform-TenantId: default' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'username=mifos' \ --data-urlencode 'password=password' \ --data-urlencode 'client_id=community-app' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'client_secret=123'{code} Note that this must be using {{x-www-form-urlencoded}}, as {{form-data}} encoded POST doesn't work, and also does NOT support JSON in the request body, like {{/api/v1/authentication}}: {code:json} {"username": "mifos","password": "password"}{code} > What does one now do with this? {quote}3) The HTTP bearer Auth key is used in all subsequent requests (see the function executeAjaxRequest below). {quote} The documentation about this should probably also speak about the {{oauth_client_details}} table, seeĀ [https://github.com/apache/fineract/blob/1.4.0/fineract-provider/src/main/resources/sql/migrations/core_db/V273__oauth_changes.sql] (but note [https://github.com/apache/fineract/blob/1.4.0/fineract-provider/src/main/resources/sql/migrations/core_db/V353__migrate_passwords_to_ss_5.sql]) >From what I can tell, our new Swagger Client may also support OAuth? It would >be nice to document that as well (if it works). > OAuth Support documentation is missing > --- > > Key: FINERACT-1145 > URL: https://issues.apache.org/jira/browse/FINERACT-1145 > Project: Apache Fineract > Issue Type: Bug > Components: Security >Reporter: Michael Vorburger >Priority: Major > Fix For: 1.5.0 > > > We have a number of open issues related to apparent OAuth support in Fineract. > There is 0 documentation available on the Apache Fineract project [Git > repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or > [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth]. > (One can "deduct" that it can be activated by > {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?) > IMHO it would be valuable both for end users deployment, integrators and new > and old contributors to the project to have this feature documented. > So the goal of this issue is to have comprehensive documentation about > Fineract's OAuth support in > [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md]. > This feature may be (apparently?) actually currently be broken on the develop > branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't > someone from contribution documentation of how it should work. That > documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I > think that's broken due to FINERACT-755, so build 1.3.1 from git). > [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of > you like to contribute such documentation to this wonderful project? > PS: Once there is documentation, someone could then build an IT - that's > unlocking FINERACT-1143. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[ https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193849#comment-17193849 ] Michael Vorburger commented on FINERACT-1145: - So on [https://demo.fineract.dev/fineract-provider/api-docs/apiLive.htm] there is a link to [https://github.com/openMF/mifosx/wiki/Launching-platform-server-locally-from-the-command-line#choosing-authentication-mechanism] that mentions {{-Psecurity=oauth}}. On [https://demo.fineract.dev/fineract-provider/api-docs/apiLive.htm#authentication_oauth] there's also a JavaScript example, and this actually seems to work: {code:sh} $ ./gradlew bootRun -Psecurity=oauth}} $ curl --insecure --location --request POST 'https://localhost:8443/fineract-provider/api/oauth/token?username=mifos&password=password&client_id=community-app&grant_type=password&client_secret=123' --header 'Fineract-Platform-TenantId: default'{code} returns: {code:json} {"access_token":"Pxb0mJ-u69NRqiu837biXqhZyx4","token_type":"bearer","refresh_token":"iNZEsSN8jvS-pBpk5zzU5akQHpo","expires_in":3410,"scope":"all"}{code} What does one now do with this? PS: Invoking {{/fineract-provider/api/oauth/token}} without -Psecurity=oauth causes FINERACT-1146. > OAuth Support documentation is missing > --- > > Key: FINERACT-1145 > URL: https://issues.apache.org/jira/browse/FINERACT-1145 > Project: Apache Fineract > Issue Type: Bug > Components: Security >Reporter: Michael Vorburger >Priority: Major > Fix For: 1.5.0 > > > We have a number of open issues related to apparent OAuth support in Fineract. > There is 0 documentation available on the Apache Fineract project [Git > repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or > [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth]. > (One can "deduct" that it can be activated by > {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?) > IMHO it would be valuable both for end users deployment, integrators and new > and old contributors to the project to have this feature documented. > So the goal of this issue is to have comprehensive documentation about > Fineract's OAuth support in > [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md]. > This feature may be (apparently?) actually currently be broken on the develop > branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't > someone from contribution documentation of how it should work. That > documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I > think that's broken due to FINERACT-755, so build 1.3.1 from git). > [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of > you like to contribute such documentation to this wonderful project? > PS: Once there is documentation, someone could then build an IT - that's > unlocking FINERACT-1143. -- This message was sent by Atlassian Jira (v8.3.4#803005)