gancio-upstream/docs/dev/oauth.md

---
layout: default
title: OAuth
permalink: /dev/oauth
parent: Hacking
nav_order: 4
---

> error "BETA FEATURE"
> Expect bad behavior and open [issues](https://framagit.org/les/gancio/issues)

## OAuth
{: .no_toc }
An open standard for token-based authentication and authorization on the Internet.

Gancio supports OAuth 2.0, an authorization framework described in [RFC 6749](https://tools.ietf.org/html/rfc6749) that allows third-party applications to obtain limited access to an HTTP service on behalf of a resource owner, through the use of a standardized authorization flow that generates a client access token to be used with HTTP requests.

To obtain an OAuth token for a Gancio instance, make sure that you allow your users to specify the domain they want to connect to before login. Use that domain to [acquire a client id/secret](#create-client) and then proceed with normal OAuth 2.

---

## Create client
Create a new application to obtain OAuth2 credentials.

POST
{: .label .label-yellow }
`/api/client`


#### Request parameters

| client_name | `string` | A name for your application |
| redirect_uris | `string` | Where the user should be redirected after authorization |
| scopes | `string` | Space separated list of scopes. If none is provided, defaults to `event:write` as it's the only supported scope!|
| website | `string` | A URL to the homepage of your app |

#### Example
```bash
curl -X POST \
        -d 'client_name=Wordpress Event Manager' \
        -d 'redirect_uris=https://noblogs.org/' \
        -d 'website=https://myapp.example' \
        http://localhost:13120/api/client
```

#### Returns
Application, with `client_id` and `client_secret`

```json
{
   "name" : "Wordpress Event Manager",
   "scopes" : "event:write",
   "website" : "https://myapp.example",
   "client_secret" : "909029fa12797e6bdfb5baf5e379675dfa4e3ad4",
   "redirect_uris" : "https://noblogs.org",
   "client_id" : "0f377e34b2aaf517f7db534f32d26b0dd938fb6d"
}
```

#### List of scopes
- `event:write`  
Grant access to add/update events.

## Authorize a user
Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired `redirect_uri`. 
The authorization code can be used while requesting a token to obtain access to user-level methods.

[![/assets/thumbs/oauth_auth.png](/assets/thumbs/oauth_auth.png)](/assets/oauth_auth.png){: data-fancybox="group" data-caption="OAuth authorization form"}


GET
{: .label .label-green}
`/authorize`

#### Request parameters

| response_type | `string` | Should be set equal to `code` |
| redirect_uri | `string` | Where the user should be redirected after authorization |
| scope | `string` | Should be `event:write`|
| client_id | `string` | `client_id`, obtained during app registration. |


## Obtain a token

POST
{: .label .label-yellow }
`/oauth/token`


#### Request parameters

| client_id | `string` | `client_id` obtained during [client registration](#create-client) |
| client_secret | `string` | `client_secret` obtained during [client registration](#create-client) |
| scope | `string` | Should be `event:write`|
| grant_type | `string` | Set equal to `authorization_code` |
| code | `string` | A user authorization code, obtained via [/authorize](#authorize-a-user) |
[doc] oauth 2020-01-21 01:25:09 +01:00			`---`
			`layout: default`
			`title: OAuth`
[doc] premonition, oauth 2020-01-21 22:14:46 +01:00			`permalink: /dev/oauth`
			`parent: Hacking`
			`nav_order: 4`
[doc] oauth 2020-01-21 01:25:09 +01:00			`---`

[doc] premonition, oauth 2020-01-21 22:14:46 +01:00			`> error "BETA FEATURE"`
			`> Expect bad behavior and open [issues](https://framagit.org/les/gancio/issues)`

[doc] oauth 2020-01-21 01:25:09 +01:00			`## OAuth`
			`{: .no_toc }`
			`An open standard for token-based authentication and authorization on the Internet.`

			`Gancio supports OAuth 2.0, an authorization framework described in [RFC 6749](https://tools.ietf.org/html/rfc6749) that allows third-party applications to obtain limited access to an HTTP service on behalf of a resource owner, through the use of a standardized authorization flow that generates a client access token to be used with HTTP requests.`

			`To obtain an OAuth token for a Gancio instance, make sure that you allow your users to specify the domain they want to connect to before login. Use that domain to [acquire a client id/secret](#create-client) and then proceed with normal OAuth 2.`

[doc] premonition, oauth 2020-01-21 22:14:46 +01:00			`---`

[doc] oauth 2020-01-21 01:25:09 +01:00			`## Create client`
			`Create a new application to obtain OAuth2 credentials.`

			`POST`
			`{: .label .label-yellow }`
			`/api/client`


			`#### Request parameters`

			\| client_name \| `string` \| A name for your application \|
more on oauth 2020-01-21 17:33:33 +01:00			\| redirect_uris \| `string` \| Where the user should be redirected after authorization \|
[doc] premonition, oauth 2020-01-21 22:14:46 +01:00			\| scopes \| `string` \| Space separated list of scopes. If none is provided, defaults to `event:write` as it's the only supported scope!\|
[doc] oauth 2020-01-21 01:25:09 +01:00			\| website \| `string` \| A URL to the homepage of your app \|

			`#### Example`
			```bash
			`curl -X POST \`
			`-d 'client_name=Wordpress Event Manager' \`
more on oauth 2020-01-21 17:33:33 +01:00			`-d 'redirect_uris=https://noblogs.org/' \`
[doc] oauth 2020-01-21 01:25:09 +01:00			`-d 'website=https://myapp.example' \`
			`http://localhost:13120/api/client`
			```

			`#### Returns`
			Application, with `client_id` and `client_secret`

			```json
			`{`
			`"name" : "Wordpress Event Manager",`
[doc] premonition, oauth 2020-01-21 22:14:46 +01:00			`"scopes" : "event:write",`
[doc] oauth 2020-01-21 01:25:09 +01:00			`"website" : "https://myapp.example",`
			`"client_secret" : "909029fa12797e6bdfb5baf5e379675dfa4e3ad4",`
more on oauth 2020-01-21 17:33:33 +01:00			`"redirect_uris" : "https://noblogs.org",`
[doc] oauth 2020-01-21 01:25:09 +01:00			`"client_id" : "0f377e34b2aaf517f7db534f32d26b0dd938fb6d"`
			`}`
			```

			`#### List of scopes`
[doc] premonition, oauth 2020-01-21 22:14:46 +01:00			- `event:write`
[doc] oauth 2020-01-21 01:25:09 +01:00			`Grant access to add/update events.`

			`## Authorize a user`
			Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired `redirect_uri`.
			`The authorization code can be used while requesting a token to obtain access to user-level methods.`

[doc] minor 2020-01-21 22:36:32 +01:00			`[![/assets/thumbs/oauth_auth.png](/assets/thumbs/oauth_auth.png)](/assets/oauth_auth.png){: data-fancybox="group" data-caption="OAuth authorization form"}`
[doc] premonition, oauth 2020-01-21 22:14:46 +01:00

[doc] oauth 2020-01-21 01:25:09 +01:00			`GET`
			`{: .label .label-green}`
			`/authorize`

			`#### Request parameters`

			\| response_type \| `string` \| Should be set equal to `code` \|
			\| redirect_uri \| `string` \| Where the user should be redirected after authorization \|
[doc] premonition, oauth 2020-01-21 22:14:46 +01:00			\| scope \| `string` \| Should be `event:write`\|
			\| client_id \| `string` \| `client_id`, obtained during app registration. \|


			`## Obtain a token`

			`POST`
			`{: .label .label-yellow }`
			`/oauth/token`


			`#### Request parameters`

			\| client_id \| `string` \| `client_id` obtained during [client registration](#create-client) \|
			\| client_secret \| `string` \| `client_secret` obtained during [client registration](#create-client) \|
			\| scope \| `string` \| Should be `event:write`\|
			\| grant_type \| `string` \| Set equal to `authorization_code` \|
			\| code \| `string` \| A user authorization code, obtained via [/authorize](#authorize-a-user) \|

[doc] oauth 2020-01-21 01:25:09 +01:00