Amber Web Authorization FrameworkAPI Documentation
Amber Web Authorization Framework
Many applications need to interact with remote services to provide their functionality to the user. One industry-standard mechanism by which the remote service can delegate authorization for specific actions to the application is called OAuth. The OAuth2 specification, for example, describes flows whereby an application can ask a service to allow it to perform some specific types of operations (known as the "scope") on behalf of the user. The system browser is then used to provide the user with an interactive session with the remote service, whereby the user is asked to permit (by logging in) or deny (by cancelling) the request. If permitted by the user, the application is returned an "access token" which it must use as proof of authorization when performing operations (for example, requesting certain data from the remote service).
Note that the application must have been registered with the remote service (which is done manually via the service's website) and have a valid "consumer_key" (
OAuth1.0a) or "client_id" (
OAuth2) which identifies it.
The Amber Web Authorization Framework provides both C++ and QML API which allows application developers to easily integrate
OAuth2 flows into their application, including a simple TCP server which can listen for web-browser redirects.
Using the Amber Web Authorization Framework
Regardless of whether the application is using the QML or C++ API, the basic steps for using OAuth in their application is the same:
- Construct the redirect listener (to capture a redirect from the browser)
- Construct the appropriate (i.e., OAuth1 or OAuth2) helper and set its properties
- If using
OAuth1.0a, ask the OAuth1 helper to request a temporary token
- Ask the OAuth helper to generate an authorization URL
- Open the generated URL in the system web browser
- Wait for the user to authorize the application
- The redirect listener will then capture the redirect, and the OAuth helper will emit a signal containing the access token
After receiving an access token, the application must use this token in all subsequent requests to the remote service, by specifying an appropriate "Authorization" header in those requests.
OAuth2 enabled services, this is as simple as setting the "Authorization" header value to "Bearer <token>", but for
OAuth1 it is more complicated, and so some helper API is provided by the Amber Web Authorization Framework to generate the appropriate authorization header for a specific request, given the
OAuth1 token (and token secret) previously provided to the application. See Amber::Web::Authorization::OAuth1::generateAuthorizationHeader() for more information about this.
The C++ API consists of the following classes:
Note that the
OAuth2 specification describes multiple different possible flows depending on the type of application. The OAuth2 helper supports a variety of different flows; the application developer must choose the one they want to use, and provide values for the appropriate properties as required by that flow. See the FlowType documentation for more information on this topic.
The RedirectListener is a very simple TCP server which can be used to capture redirects from the system browser (which will include the access token if the user authorized the application) by listening on a localhost port. The client application may use an instance of this type to handle the redirect, or alternatively it can implement its own redirect handling (e.g. with custom protocol).
To use the C++ API, the client application should use the "amberwebauthorization.pc" pkgconfig file.
e.g. in a qmake-based project:
CONFIG += link_pkgconfig PKGCONFIG += amberwebauthorization
It may then
#include <redirectlistener.h> as required.
The QML API is provided through the Amber.Web.Authorization import namespace, and it includes the C++ classes, and can be used in the same way. In addition, the it also provides some flow-specific helpers which expose different properties depending on the requirements of the flow, and which automatically instantiate a RedirectListener by default, to simplify usage by client applications.
The QML types exposed in the QML API are as follows:
- OAuth1, base
- OAuth10a, for
- OAuth2, base
- OAuth2Ac, for
OAuth2Authorization Code flows
- OAuth2AcPkce, for
OAuth2Authorization Code With PKCE flows
- OAuth2Implicit, for
Note that the vast majority of client applications should use the
OAuth2 Authorization Code With PKCE flow, i.e. OAuth2AcPkce type.