Watch, Follow, &
Connect with Us

Please visit our new home
community.embarcadero.com.


Welcome, Guest
Guest Settings
Help

Thread: Newbie and OAuth2.0


This question is answered. Helpful answers available: 1. Correct answers available: 1.


Permlink Replies: 4 - Last Post: Apr 18, 2018 12:29 PM Last Post By: Robert Kondner
Robert Kondner

Posts: 59
Registered: 11/15/01
Newbie and OAuth2.0  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 16, 2018 2:07 PM
Hi,
I am building VCL Win32 app in Delphi 10.1 to access some services from an online web service. Digikey.com is the provider. I have my client ID and secret and my app is registered with them. So far so good but I can't quite yet spell OAuth2.0. Figured I would look at the demos!

I have the sample RESTDemos.dproj app open and compiling I was looking at what is done in there.

I notice they use a Tfrm_OAuthWebForm to get an Authorization code which gets returned in a Window Title. Did I get that right? sounds a little strange but then there is plenty I don't know. Why would that be done instead of sending a request directly to the authentication server?

I dropped a new TOAuth2Authticator on the main form and I setup the properties.Looks easy (famous last words). But this first step is getting the Authorization code and I didn't understand the web browser function.

Thanks,
Bob K.
Angus Robertson

Posts: 205
Registered: 3/17/00
Re: Newbie and OAuth2.0
Helpful
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 17, 2018 1:08 AM   in response to: Robert Kondner in response to: Robert Kondner
I am building VCL Win32 app in Delphi 10.1 to access some
services from an online web service. Digikey.com is the provider.
I have my client ID and secret and my app is registered with
them. So far so good but I can't quite yet spell OAuth2.0.

I've just implemented OAuth2 for the ICS internet components.

The conceptual issue about OAuth2 is that applications should not know any
login details. They need to be entered through a browser, which then redirects
to a fixed URL with includes an Authorization Code that is subsequently
exchanged for an Access Token that can used by the REST client. This is really
all designed for interactive applications, on mobile platforms in particular.

Originally it was considered allowable for native applications to display an
embedded browser window in the application to capture the Authorization Code
during redirect, but that potentially means the application can also capture
the login as well so is no longer best practice, see RFC8252. Some apps will
block the embedded window.

But the Delphi REST OAuth components still use an embedded browser, which does
not always work any longer.

The preferred authorization method now is for the native application to launch
the standard browser and redirect to localhost where a small web server runs to
capture the Authorization Code. That is what the ICS components do.

Once you have the Authorization Code, getting an Access Token is trivial REST.
But the Access Token will usually expire within 24 hours, sometimes much sooner.
So the token exchange process also offers a Refresh Token with the same expiry,
but which can be used to get another Access Token without needing user
interaction.

So the trick for native applications is to keep refreshing the Access Token
before it expires, allowing your application to keep running. Store the
Refresh Token securely, since it's a potential security risk.

Angus
Robert Kondner

Posts: 59
Registered: 11/15/01
Re: Newbie and OAuth2.0  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 17, 2018 7:51 AM   in response to: Angus Robertson in response to: Angus Robertson
Angus Robertson wrote:
I am building VCL Win32 app in Delphi 10.1 to access some
services from an online web service. Digikey.com is the provider.
I have my client ID and secret and my app is registered with
them. So far so good but I can't quite yet spell OAuth2.0.

I've just implemented OAuth2 for the ICS internet components.

The conceptual issue about OAuth2 is that applications should not know any
login details. They need to be entered through a browser, which then redirects
to a fixed URL with includes an Authorization Code that is subsequently
exchanged for an Access Token that can used by the REST client. This is really
all designed for interactive applications, on mobile platforms in particular.
...
esh Token securely, since it's a potential security risk.

Angus

Angus,

Thank you for the response.

This app had been consuming services through a SOAP interface but that is being discontinued and a REST with OAuth2 is now offered.

I will play with the existing browser interface, get it working, then try my own request.

I looked at the ICS tools, thanks for the link.

Bob K.
Angus Robertson

Posts: 205
Registered: 3/17/00
Re: Newbie and OAuth2.0  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 17, 2018 9:54 AM   in response to: Robert Kondner in response to: Robert Kondner
I looked at the ICS tools, thanks for the link.

The ICS OAuth stuff is not released yet, next week.

Angus
Robert Kondner

Posts: 59
Registered: 11/15/01
Re: Newbie and OAuth2.0  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 18, 2018 12:29 PM   in response to: Angus Robertson in response to: Angus Robertson
Angus Robertson wrote:
I looked at the ICS tools, thanks for the link.

The ICS OAuth stuff is not released yet, next week.

Angus

Hi,

Let me know when it is available.

Thanks,
Bob Kondner
bob@partsync.com
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02