[squeak-dev] [ANN] ModifierKeysMorph & WebClientOAuth2 (Zinc-SSO port)

Tim Johnson digit at sonic.net
Thu Jun 11 16:12:00 UTC 2020


On Jun 10, 2020, at 11:21 PM, Marcel Taeumel wrote:

> Hi Tim,
>
> thank you for sharing your efforts!
>
> > But it's also slightly less complex than Zinc-SSO because I only  
> left in the bits that support Google's OAuth2.
>
> I suppose that generic support for OAuth2 would be gold for Squeak  
> Trunk. :-) Maybe with a simple way to add more service providers  
> besides Google... GitLab, GitHub, Discord, Reddit, Bitbucket, ...

Thank you Marcel!

It has been a year since I was deep into this project, but I'll try to  
add some detail regarding its potential usefulness in Trunk:

As it is, this code implements the interactive, browser-based method  
of OAuth2.  This means it requires a browser to open up and for a  
human to physically log in.  It is likely possible for Squeak to  
launch the browser and then capture the token, as I have seen done in  
Python.  (The token would eventually expire, of course.)

It is useful for SSO.  But for automated workflows, where human  
intervention is undesired, there is another type of OAuth2 which may  
be called "server to server" or apparently "two-legged OAuth":

https://developers.google.com/identity/protocols/oauth2/service-account

I tried and failed to implement this last year.  Where I failed was in  
computing the JSON Web Signature (JWS).  I could generate JWTs  
successfully*, but JWSs for Google require "SHA256withRSA (also known  
as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function)" which  
requires one very specific algorithm missing from SqueakSSL and which  
I simply could not engineer on my own at the time (or perhaps ever — I  
might just not be smart enough ;) ).  I was able to get as far as  
crafting the JSON in Squeak and then signing using Python's  
implementation of the algorithm and it would work.

If we could get server-to-server OAuth2 using WebClient, that would  
also allow us to, say, connect to Google Drive directly from Squeak,  
or be a client of Google Cloud Platform / Compute Engine, etc.  I  
think that would be very cool.

Sadly, I seem to recall this type of OAuth (and thus this algorithm)  
would also be necessary for GitHub/GitLab.

Best,
a Tim


* I think I made a class for this which I could contribute.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20200611/f0a2e654/attachment.html>


More information about the Squeak-dev mailing list