Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-126596 As an Instance Administrator, I want to register trusted applications where there is no manual authentication grant that the user must taken as a step
  3. LPS-127942

[Doc] How to register trusted applications where there is no manual authentication grant that the user must taken as a step, as an Instance Administrator

    Details

    • Type: Technical Documentation
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: 7.4.X, Master
    • Fix Version/s: None
    • Labels:
      None
    • Sprint:
      AppSec Iteration 56, AppSec Iteration 57, AppSec Iteration 58
    • Type of Documentation:
      User

      Description

      Confluence page

      https://liferay.atlassian.net/wiki/spaces/ENGAPPSECURITY/pages/1481572730/Doc+Documentation+of+the+Story+As+an+Instance+Administrator+I+want+to+register+trusted+applications+where+there+is+no+manual+authentication+grant+that+the+user+must+taken+as+a+step

      Background
      This feature is added to be able to mark as trusted OAuth2 applications to avoid the manual authorization process during the process of obtaining a token.
      It will be useful for different types of customers, they will be able to manage in which cases an authorization by the user would not be necessary. Trusted application should be useful for pure JS Single Page Applications that execute features from an OAuth2 Applications.

      Features
      A new option is offered when registering or editing an OAuth2 application, at the administration screen, a new checkbox "Trusted Application" will be available when the OAuth2 Application it's using Authorization Code or Authorization Code PKCE as authorization type method.

      During the process of obtaining the token using Authorization Code or Authorization Code PKCE, the first step is to obtain a Liferay authorization code; so if the application is marked as trusted, there is no need for the user to perform the usual manual authorization inside the Portal. See image attachments.

      Trusted applications SHOULD NOT be used by mobile applications or applications that can not store the client id confidentially, in a non secure scenario the only thing preventing a successful phishing attack is the authorization screen that should warn the user that an application is trying to use another application credentials.

      Steps
      To mark an OAuth2 Application as Trusted Application, OAuth2 Administrator can simply apply this in the OAuth2 Application creation or editing screen, at Menu - OAuth2 Administration.

      To test this feature, we offer an external Liferay OAuth2 Tester at: http://martamedio.com/oauth2-tester/

      Code

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              marta.medio Marta Medio
              Reporter:
              nora.szel Nóra Szél
              Recent user:
              Nóra Szél
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package