What is oAuth2
oAuth2 is a authentication framework that allows third party applications to authenticate with services without the need for the user to provide credentials to the third party application.
For example if our application would like to connect to an end users google account we can get authorization by asking the user to authenticate with google and google giving our application a security token. The application never knows the credentials used but gets access using the token provided by google.
Normally authentication would involve a login screen that allows the user to type in a username and password and then the application would use these credentials to talk to the third party service.
In order to hide the actual credentials from the application the following process is used by oAuth2 to authenticate an application
- User instructs application to connect to a service secured by oAuth2
- Application starts Authentication Process using your client id and/or client secret by calling the authentication web service
- Depending on the options the call returns a URL or web page and that url or webpage which contains the actual login needs to be shown to the user
- The application uses one of the available methods to get a response from oAuth2
- The user now authenticates on the web page.
- in the meantime the application has to wait and continuously check for a response from the authentication
- once the user authenticates the application can then get an access token that can be used later to authenticate with the service
Interfacing DataFlex with oAuth2 authentication is a bit complicated mainly due to 2 missing parts of the language
- DataFlex is single threaded which makes it hard to wait for things while keeping the user interface from being locked up
- DataFlex does not have any support for TCPIP communication which is needed to listen to a port on localhost
One way to make life easier is to use the Chilkat oAuth2 component. Chilkat solves the second issue by handling all the TCPIP communication for us
Registering the application
In order to use oAuth2 for any service the application has to be registered with that service in our example Google. This registration will give us a client id as well as a client secret for our application that will be used to authenticate
For this example we will create 2 views. View 1 will be our view requesting authentication, view 2 will contain the browser window. You could also call the browser as a separate program.
To show the two part process we will split the functions over two buttons. First button will initiate the authentication process, second button will then after successful authentication get the token.
At the top of the view we will need to use the chilkat package. Of course you will need to download and install the chilkat library
//
// use chilkat
Use ChilkatAx-9.5.0-win32.pkg
Procedure ChilkatGlobalUnlock
Handle hoGlob
Boolean iSuccess
Integer iStatus
String sTemp1
Get Create (RefClass(cComChilkatGlobal)) to hoGlob
If (not(IsComObjectCreated(hoGlob))) Begin
Send CreateComObject of hoGlob
End
Get ComUnlockBundle of hoGlob "Anything for 30-day trial" to iSuccess
If (iSuccess <> True) Begin
Get ComLastErrorText of hoGlob to sTemp1
Showln sTemp1
Procedure_Return
End
Get ComUnlockStatus of hoGlob to iStatus
If (iStatus = 2) Begin
Showln "Unlocked using purchased unlock code."
End
Else Begin
Showln "Unlocked in trial mode."
End
End_Procedure
the code above will globally unlock all chilkat classes using your credentials supplied by chilkat
Step 1 – Start Authentication
Procedure OnClick
Handle hoOauth2 hoSbJson
Boolean iSuccess bTemp1
String sUrl sTemp1
Integer iNumMsWaited iTemp1
// make sure chilkat is unlocked
Send ChilkatGlobalUnlock
// create oAuth2 object
Get Create (RefClass(cComChilkatOAuth2)) to hoOauth2
If (not(IsComObjectCreated(hoOauth2))) Begin
Send CreateComObject of hoOauth2
End
// remember for step2
Set phoOAuth2 to hoOauth2
// For Google OAuth2, set the listen port equal to the port used
// in the Authorized Redirect URL for the Client ID.
// For example, in this case the Authorized Redirect URL would be http://localhost:55568/
// Your app should choose a port not likely not used by any other application.
Set ComListenPort of hoOauth2 to 55568
Set ComAuthorizationEndpoint of hoOauth2 to "https://accounts.google.com/o/oauth2/v2/auth"
Set ComTokenEndpoint of hoOauth2 to "https://www.googleapis.com/oauth2/v4/token"
// Replace these with actual values.
Set ComClientId of hoOauth2 to "YOUR APPS CLIENT ID HERE"
Set ComClientSecret of hoOauth2 to "YOUR APPS CLIENT SECRET HERE"
Set ComCodeChallenge of hoOauth2 to True
Set ComCodeChallengeMethod of hoOauth2 to "S256"
// This is the scope for Google Drive.
// See https://developers.google.com/identity/protocols/googlescopes
Set ComScope of hoOauth2 to "https://www.googleapis.com/auth/drive"
// Begin the OAuth2 three-legged flow. This returns a URL that should be loaded in a browser.
Get ComStartAuth of hoOauth2 to sUrl
Get ComLastMethodSuccess of hoOauth2 to bTemp1
If (bTemp1 <> True) Begin
Get ComLastErrorText of hoOauth2 to sTemp1
Showln sTemp1
Procedure_Return
End
Send ShowGoogleLogin sUrl
End_Procedure
The OnClick procedure above first creates a chilkat oAuth2 object. We remeber the object id in a property for step 2 later.
oAuth2 uses a local port to communicate. In this case we use a port that is likely not used. A better implementation would be to find a random unused port.
We set the endpoints to the google endpoints
We also need to set the client id and client secret. These are supplied to you when registering your application with google
We also need to set the scope of our authentication which will tell Google what services we are trying to authenticate for.
The next step is to start the authentication process. This will return a URL that needs to be shown to the user.
The last line Send ShowGoogleLogin sUrl will be handled in our next step
Show the Url in the browser
We need to be able to show the url returned by the authentication process to the user.
For this example i decided to use a web browser in a view but you can also simply launch a web browser as a separate application. There is no connection needed between our application and the browser
The code for the browser view is as follows
Use Windows.pkg
Use DFClient.pkg
Use cComWebBrowser.pkg
Activate_View Activate_oBrowserView for oBrowserView
Object oBrowserView is a dbView
Property String psUrlToNavigate ""
Set Border_Style to Border_Thick
Set Size to 200 300
Set Location to 2 2
Set Label to "BrowserView"
Object oWebBrowser is a cComWebBrowser
Set Size to 254 497
Set Location to 34 21
Set peAnchors to anAll
// When the control is created, point to a default web site
Procedure OnCreate
Forward Send OnCreate
Send ComNavigate (psUrlToNavigate(Self)) 0 0 0 0
End_Procedure
End_Object
End_Object
Procedure ShowGoogleLogin String sURL
Set psUrlToNavigate of oBrowserView to sURL
Send Activate_oBrowserView
End_Procedure
Now we need to create the second part of our authentication that needs to be executed after the user actually authenticates
Procedure OnClick
Handle hoOauth2
Integer iNumMsWaited iTemp1 iSuccess
String sTemp1
Get phoOAuth2 to hoOauth2
// Now wait for the authorization.
// We'll wait for a max of 30 seconds.
Move 0 to iNumMsWaited
While ((iNumMsWaited < 30000) and ((ComAuthFlowState(hoOauth2)) < 3))
Send ComSleepMs to hoOauth2 100
Move (iNumMsWaited + 100) to iNumMsWaited
Loop
// If there was no response from the browser within 30 seconds, then
// the AuthFlowState will be equal to 1 or 2.
// 1: Waiting for Redirect. The OAuth2 background thread is waiting to receive the redirect HTTP request from the browser.
// 2: Waiting for Final Response. The OAuth2 background thread is waiting for the final access token response.
// In that case, cancel the background task started in the call to StartAuth.
Get ComAuthFlowState of hoOauth2 to iTemp1
If (iTemp1 < 3) Begin
Get ComCancel of hoOauth2 to iSuccess
Showln "No response from the browser!"
Procedure_Return
End
// Check the AuthFlowState to see if authorization was granted, denied, or if some error occurred
// The possible AuthFlowState values are:
// 3: Completed with Success. The OAuth2 flow has completed, the background thread exited, and the successful JSON response is available in AccessTokenResponse property.
// 4: Completed with Access Denied. The OAuth2 flow has completed, the background thread exited, and the error JSON is available in AccessTokenResponse property.
// 5: Failed Prior to Completion. The OAuth2 flow failed to complete, the background thread exited, and the error information is available in the FailureInfo property.
Get ComAuthFlowState of hoOauth2 to iTemp1
If (iTemp1 = 5) Begin
Showln "OAuth2 failed to complete."
Get ComFailureInfo of hoOauth2 to sTemp1
Showln sTemp1
Procedure_Return
End
Get ComAuthFlowState of hoOauth2 to iTemp1
If (iTemp1 = 4) Begin
Showln "OAuth2 authorization was denied."
Get ComAccessTokenResponse of hoOauth2 to sTemp1
Showln sTemp1
Procedure_Return
End
Get ComAuthFlowState of hoOauth2 to iTemp1
If (iTemp1 <> 3) Begin
Get ComAuthFlowState of hoOauth2 to iTemp1
Showln "Unexpected AuthFlowState:" iTemp1
Procedure_Return
End
// Save the full JSON access token response to a file.
Integer hoSbJson
Get Create (RefClass(cComChilkatStringBuilder)) to hoSbJson
If (not(IsComObjectCreated(hoSbJson))) Begin
Send CreateComObject of hoSbJson
End
Get ComAccessTokenResponse of hoOauth2 to sTemp1
Get ComAppend of hoSbJson sTemp1 to iSuccess
Get ComWriteFile of hoSbJson "qa_data/tokens/googleDrive.json" "utf-8" False to iSuccess
Showln "OAuth2 authorization granted!"
Get ComAccessToken of hoOauth2 to sTemp1
Showln "Access Token = " sTemp1
Send Destroy to hoSbJson
Send Destroy to hoOauth2
Set phoOAuth2 to 0
End_Procedure
After validating that there was a proper response from the authentication server we get the response that includes the token and other information
To run this example click the first button. This will initiate the authentication process and then show the browser window with a goggle login (the login may be skipped if you are already logged in to google).
After logging in google will ask if you want to authorize the application. Allow the authorization and then close the browser window.
Now you can click the second button and the application will then get the authentication token that can be used to authenticate for any service calls later.
