Type: Technical Documentation
Affects Version/s: 7.4.X, Master
Fix Version/s: None
Component/s: Application Security > OAuth2
Sprint:AppSec Iteration 56, AppSec Iteration 57, AppSec Iteration 58
Type of Documentation:User
This feature is added to be able to mark as trusted OAuth2 applications to avoid the manual authorization process during the process of obtaining a token.
It will be useful for different types of customers, they will be able to manage in which cases an authorization by the user would not be necessary. Trusted application should be useful for pure JS Single Page Applications that execute features from an OAuth2 Applications.
A new option is offered when registering or editing an OAuth2 application, at the administration screen, a new checkbox "Trusted Application" will be available when the OAuth2 Application it's using Authorization Code or Authorization Code PKCE as authorization type method.
During the process of obtaining the token using Authorization Code or Authorization Code PKCE, the first step is to obtain a Liferay authorization code; so if the application is marked as trusted, there is no need for the user to perform the usual manual authorization inside the Portal. See image attachments.
Trusted applications SHOULD NOT be used by mobile applications or applications that can not store the client id confidentially, in a non secure scenario the only thing preventing a successful phishing attack is the authorization screen that should warn the user that an application is trying to use another application credentials.
To mark an OAuth2 Application as Trusted Application, OAuth2 Administrator can simply apply this in the OAuth2 Application creation or editing screen, at Menu - OAuth2 Administration.
To test this feature, we offer an external Liferay OAuth2 Tester at: http://martamedio.com/oauth2-tester/
- OAuth2Application: the table has been modified to add a new boolean indicating whether the application is trusted or not.
- oauth2-provider-service - default.xml: A new permission has also been added to set whether trusted applications are allowed to be added by the user.
- LiferayOAuthDataProvider.java: We add at client properties if the application it's a trusted one.
- AuthorizationCodeGrantServiceRegistrator.java: a new check has been added to allow continuing without manual authorization if the client is trusted.