[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[
https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17205773#comment-17205773
]
Michael Vorburger commented on FINERACT-1145:
-
https://github.com/apache/fineract/blob/develop/docs/deployment/oauth.md
> OAuth Support documentation is missing
> ---
>
> Key: FINERACT-1145
> URL: https://issues.apache.org/jira/browse/FINERACT-1145
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
>Reporter: Michael Vorburger
>Assignee: Michael Vorburger
>Priority: Major
> Fix For: 1.5.0
>
>
> We have a number of open issues related to apparent OAuth support in Fineract.
> There is 0 documentation available on the Apache Fineract project [Git
> repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or
> [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth].
> (One can "deduct" that it can be activated by
> {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?)
> IMHO it would be valuable both for end users deployment, integrators and new
> and old contributors to the project to have this feature documented.
> So the goal of this issue is to have comprehensive documentation about
> Fineract's OAuth support in
> [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md].
> This feature may be (apparently?) actually currently be broken on the develop
> branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't
> someone from contribution documentation of how it should work. That
> documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I
> think that's broken due to FINERACT-755, so build 1.3.1 from git).
> [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of
> you like to contribute such documentation to this wonderful project?
> PS: Once there is documentation, someone could then build an IT - that's
> unlocking FINERACT-1143.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[
https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193887#comment-17193887
]
Michael Vorburger commented on FINERACT-1145:
-
https://github.com/apache/fineract/pull/1321
> OAuth Support documentation is missing
> ---
>
> Key: FINERACT-1145
> URL: https://issues.apache.org/jira/browse/FINERACT-1145
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
>Reporter: Michael Vorburger
>Assignee: Michael Vorburger
>Priority: Major
> Fix For: 1.5.0
>
>
> We have a number of open issues related to apparent OAuth support in Fineract.
> There is 0 documentation available on the Apache Fineract project [Git
> repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or
> [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth].
> (One can "deduct" that it can be activated by
> {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?)
> IMHO it would be valuable both for end users deployment, integrators and new
> and old contributors to the project to have this feature documented.
> So the goal of this issue is to have comprehensive documentation about
> Fineract's OAuth support in
> [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md].
> This feature may be (apparently?) actually currently be broken on the develop
> branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't
> someone from contribution documentation of how it should work. That
> documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I
> think that's broken due to FINERACT-755, so build 1.3.1 from git).
> [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of
> you like to contribute such documentation to this wonderful project?
> PS: Once there is documentation, someone could then build an IT - that's
> unlocking FINERACT-1143.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[
https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193883#comment-17193883
]
Michael Vorburger commented on FINERACT-1145:
-
So yeah this seems to actually work:
{code:sh}curl --location --request GET
'https://localhost:8443/fineract-provider/api/v1/clients' \
--header 'Fineract-Platform-TenantId: default' \
--header 'Authorization: bearer RzfUyQ0wEnxxq4PyFCF1J-XGFCI'{code}
> OAuth Support documentation is missing
> ---
>
> Key: FINERACT-1145
> URL: https://issues.apache.org/jira/browse/FINERACT-1145
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
>Reporter: Michael Vorburger
>Priority: Major
> Fix For: 1.5.0
>
>
> We have a number of open issues related to apparent OAuth support in Fineract.
> There is 0 documentation available on the Apache Fineract project [Git
> repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or
> [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth].
> (One can "deduct" that it can be activated by
> {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?)
> IMHO it would be valuable both for end users deployment, integrators and new
> and old contributors to the project to have this feature documented.
> So the goal of this issue is to have comprehensive documentation about
> Fineract's OAuth support in
> [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md].
> This feature may be (apparently?) actually currently be broken on the develop
> branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't
> someone from contribution documentation of how it should work. That
> documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I
> think that's broken due to FINERACT-755, so build 1.3.1 from git).
> [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of
> you like to contribute such documentation to this wonderful project?
> PS: Once there is documentation, someone could then build an IT - that's
> unlocking FINERACT-1143.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[
https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193860#comment-17193860
]
Michael Vorburger commented on FINERACT-1145:
-
Due to FINERACT-629, we should use (and document) only the form where secrets
aren't passed in the URL, like this:
{code:sh}
curl --location --request POST
'https://localhost:8443/fineract-provider/api/oauth/token' \
--header 'Fineract-Platform-TenantId: default' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=mifos' \
--data-urlencode 'password=password' \
--data-urlencode 'client_id=community-app' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_secret=123'{code}
Note that this must be using {{x-www-form-urlencoded}}, as {{form-data}}
encoded POST doesn't work, and also does NOT support JSON in the request body,
like {{/api/v1/authentication}}:
{code:json}
{"username": "mifos","password": "password"}{code}
> What does one now do with this?
{quote}3) The HTTP bearer Auth key is used in all subsequent requests (see the
function executeAjaxRequest below).
{quote}
The documentation about this should probably also speak about the
{{oauth_client_details}} table, seeĀ
[https://github.com/apache/fineract/blob/1.4.0/fineract-provider/src/main/resources/sql/migrations/core_db/V273__oauth_changes.sql]
(but note
[https://github.com/apache/fineract/blob/1.4.0/fineract-provider/src/main/resources/sql/migrations/core_db/V353__migrate_passwords_to_ss_5.sql])
>From what I can tell, our new Swagger Client may also support OAuth? It would
>be nice to document that as well (if it works).
> OAuth Support documentation is missing
> ---
>
> Key: FINERACT-1145
> URL: https://issues.apache.org/jira/browse/FINERACT-1145
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
>Reporter: Michael Vorburger
>Priority: Major
> Fix For: 1.5.0
>
>
> We have a number of open issues related to apparent OAuth support in Fineract.
> There is 0 documentation available on the Apache Fineract project [Git
> repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or
> [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth].
> (One can "deduct" that it can be activated by
> {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?)
> IMHO it would be valuable both for end users deployment, integrators and new
> and old contributors to the project to have this feature documented.
> So the goal of this issue is to have comprehensive documentation about
> Fineract's OAuth support in
> [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md].
> This feature may be (apparently?) actually currently be broken on the develop
> branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't
> someone from contribution documentation of how it should work. That
> documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I
> think that's broken due to FINERACT-755, so build 1.3.1 from git).
> [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of
> you like to contribute such documentation to this wonderful project?
> PS: Once there is documentation, someone could then build an IT - that's
> unlocking FINERACT-1143.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (FINERACT-1145) OAuth Support documentation is missing
[
https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193849#comment-17193849
]
Michael Vorburger commented on FINERACT-1145:
-
So on [https://demo.fineract.dev/fineract-provider/api-docs/apiLive.htm] there
is a link to
[https://github.com/openMF/mifosx/wiki/Launching-platform-server-locally-from-the-command-line#choosing-authentication-mechanism]
that mentions {{-Psecurity=oauth}}.
On
[https://demo.fineract.dev/fineract-provider/api-docs/apiLive.htm#authentication_oauth]
there's also a JavaScript example, and this actually seems to work:
{code:sh}
$ ./gradlew bootRun -Psecurity=oauth}}
$ curl --insecure --location --request POST
'https://localhost:8443/fineract-provider/api/oauth/token?username=mifos&password=password&client_id=community-app&grant_type=password&client_secret=123'
--header 'Fineract-Platform-TenantId: default'{code}
returns:
{code:json}
{"access_token":"Pxb0mJ-u69NRqiu837biXqhZyx4","token_type":"bearer","refresh_token":"iNZEsSN8jvS-pBpk5zzU5akQHpo","expires_in":3410,"scope":"all"}{code}
What does one now do with this?
PS: Invoking {{/fineract-provider/api/oauth/token}} without
-Psecurity=oauth causes FINERACT-1146.
> OAuth Support documentation is missing
> ---
>
> Key: FINERACT-1145
> URL: https://issues.apache.org/jira/browse/FINERACT-1145
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
>Reporter: Michael Vorburger
>Priority: Major
> Fix For: 1.5.0
>
>
> We have a number of open issues related to apparent OAuth support in Fineract.
> There is 0 documentation available on the Apache Fineract project [Git
> repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or
> [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth].
> (One can "deduct" that it can be activated by
> {{{color:#22}_-Psecurity=oauth_{color}}} at build - but then what?)
> IMHO it would be valuable both for end users deployment, integrators and new
> and old contributors to the project to have this feature documented.
> So the goal of this issue is to have comprehensive documentation about
> Fineract's OAuth support in
> [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md].
> This feature may be (apparently?) actually currently be broken on the develop
> branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't
> someone from contribution documentation of how it should work. That
> documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I
> think that's broken due to FINERACT-755, so build 1.3.1 from git).
> [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of
> you like to contribute such documentation to this wonderful project?
> PS: Once there is documentation, someone could then build an IT - that's
> unlocking FINERACT-1143.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
