[squeak-dev] [ANN] ModifierKeysMorph & WebClientOAuth2 (Zinc-SSO port)

Levente Uzonyi leves at caesar.elte.hu
Fri Jun 12 01:39:52 UTC 2020


Hi Tim,

On Thu, 11 Jun 2020, Tim Johnson wrote:

> 
> On Jun 10, 2020, at 11:21 PM, Marcel Taeumel wrote:
>
>       Hi Tim,
> thank you for sharing your efforts!
> 
> > But it's also slightly less complex than Zinc-SSO because I only left in the bits that support Google's OAuth2.
> 
> I suppose that generic support for OAuth2 would be gold for Squeak Trunk. :-) Maybe with a simple way to add more service providers besides Google... GitLab, GitHub, Discord, Reddit, Bitbucket, ... 
> 
> 
> Thank you Marcel!
> 
> It has been a year since I was deep into this project, but I'll try to add some detail regarding its potential usefulness in Trunk:
> 
> As it is, this code implements the interactive, browser-based method of OAuth2.  This means it requires a browser to open up and for a human to physically log in.  It is likely possible for Squeak to launch the browser and
> then capture the token, as I have seen done in Python.  (The token would eventually expire, of course.)
> 
> It is useful for SSO.  But for automated workflows, where human intervention is undesired, there is another type of OAuth2 which may be called "server to server" or apparently "two-legged OAuth":
> 
> https://developers.google.com/identity/protocols/oauth2/service-account
> 
> I tried and failed to implement this last year.  Where I failed was in computing the JSON Web Signature (JWS).  I could generate JWTs successfully*, but JWSs for Google require "SHA256withRSA (also known as
> RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function)" which requires one very specific algorithm missing from SqueakSSL and which I simply could not engineer on my own at the time (or perhaps ever — I might just not be
> smart enough ;) ).  I was able to get as far as crafting the JSON in Squeak and then signing using Python's implementation of the algorithm and it would work.
> 
> If we could get server-to-server OAuth2 using WebClient, that would also allow us to, say, connect to Google Drive directly from Squeak, or be a client of Google Cloud Platform / Compute Engine, etc.  I think that would be
> very cool.
> 
> Sadly, I seem to recall this type of OAuth (and thus this algorithm) would also be necessary for GitHub/GitLab.

The Cryptography package seems to have this stuff implemented, though I 
haven't verified the results. Here's how to use it:
Let's say privateKey is an RSAPrivateKey with your private key (See class 
side methods and RSAPrivateKeyFileReader how to initialize it) and 
message is your serialized json to sign. Then

 	privateKey v15SignMessageHash: (HashFunction newSHA256 digestInfoAsn1DerEncodingFromMessage: message)

should return the signature.


Levente

> 
> Best,
> a Tim
> 
> 
> * I think I made a class for this which I could contribute.
> 
> 
> 
>


More information about the Squeak-dev mailing list