[squeak-dev] [ANN] ModifierKeysMorph & WebClientOAuth2 (Zinc-SSO port)
Tim Johnson
digit at sonic.net
Thu Jun 11 16:12:00 UTC 2020
On Jun 10, 2020, at 11:21 PM, Marcel Taeumel wrote:
> Hi Tim,
>
> thank you for sharing your efforts!
>
> > But it's also slightly less complex than Zinc-SSO because I only
> left in the bits that support Google's OAuth2.
>
> I suppose that generic support for OAuth2 would be gold for Squeak
> Trunk. :-) Maybe with a simple way to add more service providers
> besides Google... GitLab, GitHub, Discord, Reddit, Bitbucket, ...
Thank you Marcel!
It has been a year since I was deep into this project, but I'll try to
add some detail regarding its potential usefulness in Trunk:
As it is, this code implements the interactive, browser-based method
of OAuth2. This means it requires a browser to open up and for a
human to physically log in. It is likely possible for Squeak to
launch the browser and then capture the token, as I have seen done in
Python. (The token would eventually expire, of course.)
It is useful for SSO. But for automated workflows, where human
intervention is undesired, there is another type of OAuth2 which may
be called "server to server" or apparently "two-legged OAuth":
https://developers.google.com/identity/protocols/oauth2/service-account
I tried and failed to implement this last year. Where I failed was in
computing the JSON Web Signature (JWS). I could generate JWTs
successfully*, but JWSs for Google require "SHA256withRSA (also known
as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function)" which
requires one very specific algorithm missing from SqueakSSL and which
I simply could not engineer on my own at the time (or perhaps ever — I
might just not be smart enough ;) ). I was able to get as far as
crafting the JSON in Squeak and then signing using Python's
implementation of the algorithm and it would work.
If we could get server-to-server OAuth2 using WebClient, that would
also allow us to, say, connect to Google Drive directly from Squeak,
or be a client of Google Cloud Platform / Compute Engine, etc. I
think that would be very cool.
Sadly, I seem to recall this type of OAuth (and thus this algorithm)
would also be necessary for GitHub/GitLab.
Best,
a Tim
* I think I made a class for this which I could contribute.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20200611/f0a2e654/attachment.html>
More information about the Squeak-dev
mailing list
|