OAuth Provider Extension for ZCS6.0

[yutaka]

Hi all.

I want to share the output from my little personal project with you.
The project's goal is to make Zimbra Server "OAuth"able, which means you can use it as OAuth provider by the output.

Thanks to the Java OAuth library(oauth - Revision 1143: /code/java), i have got some Zimbra Extension working.
Before deployment, please read through the README.txt file,
which describes requirement, deployment step and limitation

I am very happy to have your feedback, your question and some discussion with you.

NOTE:This extension is tested only on 6.0.1_GA_1816.MACOSXx86_10.5 FOSS edition with OAuth signpost(oauth-signpost - Project Hosting on Google Code)


Thank you

[yutaka]

I have updated OAuth Provider Extension for OOB support.

You can get this updated version from attached zip file and also from
github url below.

bucchi's zmoauthprovext at v0.2 - GitHub

Please check this out!

[JoshuaPrismon]

Interesting. I have not looked at Oauth versus OpenID recently. I really would like to play with this for a while.

[vmahajan]

You mentioned that the goal of your project is to make zimbra server "oauthable". Can you explain the use case your project tries to solve? Also, it would be great if you could elaborate the demo steps.

Thanks!

[yutaka]

About the use case,
OAuth spec below could help you.
OAuth Core 1.0a

It says

Quote:

An example use case is allowing printing service printer.example.com (the Consumer), to access private photos stored on photos.example.net (the Service Provider) without requiring Users to provide their photos.example.net credentials to printer.example.com.

With this OAuth Provider Extension, Zimbra Server can serve as the Service Provider.
So let's say you have Portal service. The Portal service as the Consumer could get some info from Zimbra server for you with OAuth protocol. And you do not have to tell your credentials in Zimbra to the Portal service.

This is just an example. Maybe there could be more better examples.
But i hope it will help you.

[vmahajan]

I got that part. What I was more interested in is more details about how to deploy your project. Also, a set of intructions on how to demo to someone would be very useful.

Thanks!

[yutaka]

Hi vmahajan,

I am very sorry to be late for replying. I could not find the time for that.

About how to deploy, here is from README.txt, which is included in the attached file above and also in
http://github.com/bucchi/zmoauthprovext/tree/v0.2;

Quote:

How to deploy:
--------------

-Step1, create "sampleoauthprov" directory under /opt/zimbra/lib/ext
-Step2, put "oauth-1.4.jar" to the directory /opt/zimbra/lib and /opt/zimbra/
-Step3, put "authorize.jsp" file to /opt/zimbra/jetty/webapps/zimbra/public directory
-Step4, add localconfig below using zmlocalconfig:

oauth_consumerDescription_<consumer' key> = <consumer's description>
oauth_consumerKey_<consumer' key> = <consumer's key>
oauth_consumerSecret_<consumer' key> = <consumer's secret>

and modify zimbra_auth_provider like below:

zimbra_auth_provider = zimbra,oauth

-Step5, restart zimbraStore zmmaiboxdctl restart

-Step6, make your consumer app get access to /service/extension/oatuh/req_token for request token,
and /service/extension/oauth/access_token for access token.
For authorization, use /service/extension/oatuh/authorization.

(*)About oauth-1.4.jar in Step2, you can get source code from
oauth - Revision 1179: /code/java and build that.
Or you can get the jar file from the first attachement file above.
(second one does not have the one)

For the deployment, this is pretty much everything I have right now.

So let me know if you want more.
What kinds of info do you need other than this?

Thanks,

[vmahajan]

In Step 6, can you include some sample request messages that the consumer app sends for request token, access token, and authorization? Thanks.

[yutaka]

Here is the consumer web app's snippet I have used for testing;

At first, you get singpost jar file below and import some classes to your test web app.
oauth-signpost - Project Hosting on Google Code

Quote:

import oauth.signpost.OAuth;
import oauth.signpost.OAuthConsumer;
import oauth.signpost.OAuthProvider;
import oauth.signpost.basic.DefaultOAuthProvider;
import oauth.signpost.http.HttpRequest;
import oauth.signpost.basic.HttpRequestAdapter;
import oauth.signpost.jetty.JettyOAuthConsumer;
import oauth.signpost.signature.OAuthMessageSigner;
import oauth.signpost.signature.SignatureMethod;

In your test servlet's doGet, you check if the request parameter includes "oauth_token" or not.

If it doesn't

Quote:

OAuthConsumer consumer = new JettyOAuthConsumer(CONSUMER_KEY,
CONSUMER_SECRET, SignatureMethod.HMAC_SHA1);

OAuthProvider provider = new DefaultOAuthProvider(consumer,
BASE_ENDPOINT_URL+REQUEST_TOKEN_ENDPOINT_URL, BASE_ENDPOINT_URL+ACCESS_TOKEN_ENDPOINT_URL,
BASE_ENDPOINT_URL+AUTHORIZE_WEBSITE_URL);

String url = provider.retrieveRequestToken(CALLBACK_URL);
hs.setAttribute("provider", provider);
response.sendRedirect(url);

If it does

Quote:

HttpSession hs = request.getSession(false);
OAuthProvider provider = (OAuthProvider)hs.getAttribute("provider");
String oaverifier = request.getParameter("oauth_verifier");
provider.retrieveAccessToken(oaverifier);

HttpURLConnection connection = (HttpURLConnection) new URL("http://<your zimbra server>/service/home/<user name>@<your domain name>/inbox.rss").openConnection();

connection.setRequestMethod("GET");

HttpRequest req = new HttpRequestAdapter(connection);
provider.getConsumer().sign(req);
connection.connect();

Note:
+This app is for Jetty.
+REQUEST_TOKEN_ENDPOINT_URL = "/req_token";
+ACCESS_TOKEN_ENDPOINT_URL = "/access_token";
+AUTHORIZE_WEBSITE_URL = "/authorization";

I hope it will help you.

And maybe I will include also a consumer app sample like above in next version of OAuth Provider Extension.

[vmahajan]

I tried using your oauth provider extension. It worked till the point where I get the access token and secret. But when I try to access the protected resource using this access token I get a signature invalid exception.

Here's the code I use to get the access token:


OAuthConsumer consumer = new DefaultOAuthConsumer(CONSUMER_KEY, CONSUMER_SECRET);

OAuthProvider provider = new DefaultOAuthProvider(REQUEST_TOKEN_ENDPOINT_URL,
ACCESS_TOKEN_ENDPOINT_URL,
AUTHORIZE_WEBSITE_URL);

String userAuthzUrl = provider.retrieveRequestToken(consumer, OAuth.OUT_OF_BAND);
System.out.println(userAuthzUrl);

Scanner scanner = new Scanner(System.in);
System.out.println("Verification code: ");
provider.retrieveAccessToken(consumer, scanner.nextLine());


And Here's the code to access the protected resource:


OAuthConsumer consumer = new DefaultOAuthConsumer(CONSUMER_KEY, CONSUMER_SECRET);
// use the access token obtained above
consumer.setTokenWithSecret("2110f8fea7c799cecfa5c e931206e589", "38a4114222a2c2417a4bda12027f7634");
URL protRscUrl = new URL("http://localhost:4444/home/user1/inbox.rss");
HttpURLConnection connection = (HttpURLConnection) protRscUrl.openConnection();
consumer.sign(connection);
connection.connect();
connection.getInputStream();


The exception I get is:

net.oauth.OAuthProblemException: signature_invalid

from SimpleOAuthRevAValidator.validateSignature() method.

Any idea why I am getting this error?

Thanks!