Servoy tech webinar series 13: Servoy and oAuth2
Servoy tech webinar series 13: Servoy and oAuth2
Good morning. Good afternoon and good evening wherever you are. I am Steve Portonoy from Shavoy USA and welcome to number 13 in the 30 minutes with Sir Voi Weilinar Tech series Today is going to be great. We’re going to talk about OAuth 2 and integration with Sir Voi Let me make a couple of announcements. First announcement is Sir Voi World 2017 Coming up in two short weeks from now in Amsterdam There are still spots available, but they are running out quickly. So I urge you if you’ve not already registered to please do so And it’s a great opportunity to Have a little longer than 30 minutes with Sir Voi. Let me tell you Second is our next our next webinar will be on May 31st in four weeks from now because Sir Voi World So just wanted to give everyone a heads up that in two weeks there will not be one of these webinars But again, if you come to Sir Voi World you get an extended webinar and then some so I Think that’s all the announcements we have Let’s hand this over to our good friend Sean Thanks, Steve. Just want to check real quick. My screen is visible It is visible to me Okay, and on that note if anyone does have any questions there is a questions panel Please type your questions in there and then we’ll try to get the answer to the end of the webinar I don’t say anybody’s response on their mind. So I’m going to assume that everyone can see the screen Cool, okay Yeah, sir Voi World slides obviously. Okay, tech webinar series. We are on number 13 Which is great. We’ve gone every two weeks all year long And we’re gonna keep going is kept for except for the next one as Steve mentioned because we’ll be at Sir Voi World But we’ll be right back after that So last week we did war deployment We try to mix in best practices like doing war deployment with updates about Extension such as web components and open source modules. So today we have another open source update This one is about OAuth for service integration On our agenda, we’re gonna do two demos one with a Google calendar integration one with a LinkedIn integration And we’re gonna talk about OAuth because you need OAuth to connect to services like that but you may have only heard about it and It helps to know a little bit about what’s required So demo time first and then we’ll look at slides I’m gonna jump into Servoydeveloper and launch the end G client Okay, so we’re gonna start with Google calendar now I’ll explain this in a minute But I need a couple of things to access for my application to access anybody’s calendar I need an ID and a secret so I’m gonna go ahead and copy my ID from a text pad here as Well as my top secret secret made it a password field And I’m gonna click this load calendar events and this is gonna start the authorization flow for me to access Now for me as a user to access my calendar through this registered application So this is the part where it passes off control to to Google basically to say okay, well which one of these accounts do you want I’ll pick this one and Then it says this application called Google APIs for ServoyWould like to you know, and it says blah blah blah in this case just manage your calendars So I’m gonna click allow and what this is gonna do is pass control back to my application With a token that can then be used for subsequent calls to do things like read the calendar events that I have as a user So I click allow and you can see that receive verification code Now you may close this window. So I close the window boom back in ServoyMy calendar events are loaded. I put them in an in-memory data source and and put them in a table component so that I could look at You know summary start and etc Okay, let’s do a LinkedIn example. It’s very similar I think it’s worth pointing out that in some cases you can access You know your stuff from a service, but just oh off itself These platforms are so big Google and LinkedIn and Facebook etc that they serve as Authentication as a service so Just for me to know just for an application to know who you are as a unique person you can do that even if you’re not doing other stuff So again, I need my client ID and client secret so Paste these in here Okay, and sign in with LinkedIn again is passing off control to LinkedIn I’m gonna put in my email and my password and Again, it’s saying serve-oy that registered application would like to access some of your LinkedIn info and here’s the three areas These are called scopes and I’ll explain that in a minute. These are the three scopes of the That are being authorized profile overview email address and the ability to share comment and like Okay, I’ll click allow access Again verification received now. I make close this window and as I step back into serve-oy You can see my smiling face and a bit of information from my LinkedIn profile Okay, pretty simple demo Let’s take a look at some of the code Let’s start with the Google calendar integration. So here’s my form. I entered in the client ID and secret and I push this button and It loads the Google calendar events. So Let’s start with the OAuth module that I’ve included Inside this solution. I have a module called scy oAuth which is available on GitHub and it has As a single scope called scy oAuth and it has some methods in there that we can work with so The first thing I did is well I deleted The data that I had in case I had already loaded in case I’m reloading it next I call get client which is a method in my form which gets me an authorized client session This is where I’m actually calling the API the scy oAuth and what it does is it creates an authorization request using a Few key pieces of information which I’ve embedded as form variables The authorization URI will discuss that the token URI will discuss that you saw the client ID and secret and then the scopes which is in this case just saying that I can access my calendar so Once it once you call execute that’s where it actually passes off control to the third party auth server and then once you’re authorized it returns control back to here and we have this thing client which is an authorized client So the next thing that I did in my load calendar events method once I got my client was I did a HTTP get request on The events endpoint which is which is here. This is part of the the LinkedIn service. I’m sorry Google calendar service So I basically now that I have an authorized HTTP client session. I can just do an HTTP get Using the token that was given to me. Of course, that’s all abstracted by the API and I can hit this URL and I can get a response so if you look at What happens when I execute this it returns a response object and then I just get the string content here I do a bit of JSON magic to parse it into an object and I didn’t put the full It returns a you know a bunch of stuff I wanted to keep it simple. So I just did a summary description start an end I think I didn’t even put description on the table So basically we parse that that serialized JavaScript. We can rehydrate it into a JavaScript object in this case an array of these events and Next is pretty easy. It’s just plain Servoy stuff I iterate over those events in that object in that array and I am creating Records in a found set and saving them in this case. That’s a in-memory data source And then I print out a little bit you can see loaded 250 events and And then it pops up in my In my form I had one utility method down here to parse the Google date time string So that’s how that works The linked in one is is very similar if I go into that Sorry Let’s try Yeah If I go into the Example linked in form Same sort of thing. I deleted my records first. I got my client It’s the exact same method except for the off URI Is now pointing to linked in the token URI is now pointing to linked in The endpoints here are linked in targets And the scopes you saw the three things that was asking Do you want access to the base? This application wants access to a basic profile any mail address and the ability to share That’s what these are here. So I’ve defined those all as sort of constants So when I authorize my client That’s my session Uh Then what I do is I create a get request and I execute it same as before And I parse the serialized JavaScript into an object in this case I’ve got first name last name email address My headline the number of connections and my picture URL All I do is pump those into Into a new record in my found set Again, this is a in-memory data source here and and I save it I had the stuff hidden so I made a visible after it After it created it. So that’s why it showed up on the form after I was done authorizing Okay, so that’s the code. That’s the demo Let’s jump into the presentation again. We’ll go over some of the concepts that we just saw and We’ll have time for questions. I think so We’ll do the who what when where why what is oAuth? It is an industry standard protocol for authorizing One application to obtain Information from another application. It’s also a developer specification for the flow of authorization That’s what allows us to write a generic connector for oAuth and then we can talk to LinkedIn Google Twitter GitHub Whatever it might be any platform So what can you do with it? Number one is it gives you a Secure programmatic access to the services on behalf of your user So when I provided some of that information it wasn’t the user’s information. It was my applications information Which allows any of my users to access Their platform and and and return that information back into my My application. So this is interoperability between two applications Without really exposing you’re not giving your password your LinkedIn password to the Servoy application your Authenticating on behalf of the Servoy application with LinkedIn Finally, I like to emphasize the third point. It’s not just about connecting to Google calendar or to LinkedIn More and more you’re seeing applications where they do away with their own identity management system Completely and they just outsourced that to one of these really well established platforms and use their identity So you may see applications nowadays a lot of times in consumer But now more and more in business applications where the user will Instead of getting you to a login page where they’re doing username and password It just says login with LinkedIn and you click a button and then it goes to that same screen You know this this application wants to access your profile You say allow and then it knows who you are you’ve authenticated It’s secure and they didn’t have to write all of that tech themselves. They just outsourced it to LinkedIn So how does it work? It’s just pretty much a Couple of redirects from servers. The first one is you go to your application You say you want to authorize through LinkedIn for example and it forwards you to LinkedIn’s auth server Okay, so then you do your authorization there. That’s where you say Yes, I allow this application to to see my profile and then And then it forwards you to their token server after you’ve granted permission and you get a token Then it redirects back to the client application in this case the server way application Giving it the token and then the client application can store that token However, it wants, but it must issue it with each subsequent request eventually a token might expire You have to refresh it or get a new one So you need a few things to get started Every platform that supports our auth to will give you the following It’ll have a published auth server URL that shouldn’t really change We’ll have a published token server URL Then when you register your application You as a developer With or maybe it’s not an application, but just a developer account with the platform They’ll give you two pieces of info the client ID and the client secret The ID just identifies your your application in the platform and the secret is is basically your your secret access code to To authorize your users The the next piece that you need is the is the scopes Now this is typically A list of permissions so you may only be asking For access to read the linked in profile But you’re not asking for their email address or you’re not asking to be able to to You know Make posts on their behalf for example same with the Google calendar. Maybe you just want to see calendars but you don’t want to update events So they they provide a bit of nuance in terms of how they organize their permissions And you specify what you’re authorizing your application to do when you pass in those scopes And then finally you just need your service endpoints So things like I want to read a calendar or I want to get events I want to read my linked in profile There’s target URLs for these and of course you need to know those But those all be documented on platforms documentation So That’s pretty much it. I’m ready for questions. I’ll leave this up some useful links always Go to the tech series to watch recordings if you missed something if you want to go back and rewatch something We keep a threat on the forum for this this webinar. We like to hear from you there Most of the samples that we make we post at demo.servoy.com in our sample gallery Which we’re continuing to maintain and finally if you want to get this module go to github create an account You can download the binary with the sample solution You’ll need to go out and get your own client ID and secret from your platform I should also point out that’s very important that this module runs on top of the Google OAuth client libraries for Java so you’ll need to download those separately And install them like in your beans directory That’s all you need to do and then the module can talk OAuth via those libraries Steve, I’m ready for questions. We have time. All right, great. We have two so far the first question is Can the authentication be saved on the database so that the user does not have to navigate to Google’s website every time Awesome question Yes, and you don’t even need to worry about it with the With the library that we’re using it’s actually stored on a file system And if you look Here, I have this this up in case I got that question Here I have in a user directory.servoy folder that I made and of course we could configure this to go anywhere A folder called my OAuth data store and inside I have Credentials for each one of those client ID. So this is the Google one And this is the LinkedIn one. These are just a little text file that has the credential information So And what’s really happening? I think it’s worth pointing out And one of the reasons that that I had built this library was because OAuth is kind of complex. There’s a lot of moving parts and one of the things that that I found frustrating is that You know sending someone off to an authentication server is easy enough But then when you get the token you have to receive that in a callback so You as a developer have to have to have some server that’s ready to receive a HTTP post with a token and then at the same time Say okay, well, I’m I received that token and I’m in the middle of running some method in Servoy and one of the the magic parts about The method where we we actually call We get the authorization client and we execute it the request we get the client One of the wonderful things about that is that this very line of code is blocking execution And it’s waiting And then the next line of code resumes Once that callback has been received and so there’s a little bit of voodoo magic under the hood with the Google OAuth Library it it actually launches an instance of jedi which is an embedded HTTP server on an open port And it’s ready to receive the callback and when it does it resumes the code right here and we don’t have to worry about it Handling that part of it and giving you a nice UX that seamless is the tricky part to OAuth and that’s why I had written this because we were trying to do some OAuth stuff and although it was working the UX was really bad and and so that really helps and that all Going back to the question that all happens because Then it puts the token here in in in this location. So the next time I won off then a kate And I can demo that Let’s say I close this I come back and relaunch My application I Go to let’s go to LinkedIn Let me get my Client secret and my ID I didn’t have to leave so to answer finally the user’s question I didn’t have to leave my application and go Often and do that every time It’s it I kept the token it stays right here and until that token is deleted or expires And it will auto refresh to When it expires but until if we lose it for some reason then we have to go back and do it so it’s it’s quite nice Okay, there are two other questions that are sort of similar and they’re both Asking what’s the difference between this module and the o off plug-in from servo-wick forge And can you use it for other things like contacts like you can with the support forage plug-in Right, so there’s a plug-in on server server-wick forge, which is A bit older and based on instead of the Google Libraries is based on something called scribe, which is another Java library The reason that that I had created this not really to redo any work that was already done or to compete with another project Is that Two things one is that the scribe one is a bit more complex if you want to it already has like built-in support for a few platforms But if you want to add a platform in particular, I was trying to do an integration a few months back with resource guru, which is a scheduling platform and And scribe wouldn’t let me do it unless I you know built my own like provider inside of it and and so That wasn’t working for me. The other thing is is that This handles that callback on that that jedi server the embedded server And keeps it all seamless, which which I really like from you x point of view so This one is has a bit different features and it’s a bit newer And it will be actively maintained on github All right one last question From Patrick can the token be stored in the database as well instead of the file system So is there a way to get it from the scope method? Yeah, so you there’s I mean in the API that we expose no But we’re open to enhancement So this is this is a first of all this is available on github is a the first beta release For folks to use and I’m sure there will be requests as people use it for things like that So right now it stores the token in a in the the current working directory on the server machine But there are options for where you’d like to store the token and the databases certainly one of them so We’re open to that option. It would just have to be exposed via the API So get to github and file an issue All right, I think that was the last question Cool All right Well, thank you very much Sean and thank you everyone for attending and we will see you in two weeks at Servoy works Four weeks Well, we’ll see you in four weeks And hopefully we’ll see you in two weeks at Servoy world The the May 31st as you can see the webinar will be a Servoy world recap If you miss it, but really it’s just going to be a pale comparison to the actual thing This is nothing We hope to see you It’ll just make you sad when you were in the network Yeah, really Really, you know, you’re all about the great things that you missed which you know, who likes that All right You want then you then you know, that’ll be happy memories Exactly all the inside jokes and that kind of stuff All right Well, thank you very much and I have a great day evening afternoon. What have you? Bye-bye