OAuth2 is a protocol that allows application request authorization to the Nuxeo Platform without getting user's password (since Nuxeo Platform 5.9.2).
Nuxeo tries to stay very close to the OAuth2 RFC memorandum to ease client integration. Before going any further, because OAuth2 makes a lot of exchanges with clients using query parameters, you must ensure to have configured a TLS.
RFC describes two endpoints:
- an Authorization endpoint used by the client to obtain authorization from the resource owner via user-agent redirection,
- a Token endpoint used by the client to exchange an authorization grant for an access token, typically with client authentication.
Client Registration
Nuxeo allows you to register client, to specify an arbitrary name, a clientId and a clientSecret. To register your own, go to the Admin tab, OAuth and Consumers tab.
Authorization Endpoint
Requesting an Authorization Code
GET https://NUXEO_SERVER/oauth2/authorization
Query parameters:
| Name | Type | Description |
|---|---|---|
| response_type | string |
REQUIRED. The value must be code for requesting an authorization code.
|
| state | string | An opaque value used by the client to maintain state between the request and callback. |
| scope | Ignored in our implementation. | |
| redirect_uri | string | REQUIRED. An absolute URI where the redirection is done after completing the interaction. |
| client_id | string | REQUIRED. An enabled client identification. |
https://NUXEO_SERVER/nuxeo/oauth2Grant.jsp which is behind the default NuxeoAuthenticationFilter. That lets you customize the way you want your users to identify themselves.
GET https://NUXEO_SERVER/oauth2/token
Query parameters:
| Name | Type | Description |
|---|---|---|
| grant_type | string |
REQUIRED. The value must be authorization_code for requesting an access token.
|
| code | string | REQUIRED. The authorization code received from the Authorization endpoint. |
| redirect_uri | string | REQUIRED. Must be the same as previously sent to the Authorization endpoint. |
| client_id | string | REQUIRED. Must be the same as previously sent to the Authorization endpoint. |
| client_secret | string | REQUIRED. Client's secret. |
Response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"H8dXDdEW9U2jJnFDh6lJJ74AHRzCyG4D",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"Amz8JlyglhGWDmYHMYS5EnTTFUFAwZLiHG4aqQDfkwUNunSMpTTSFUmvprX3WdSF",
}
Refreshing an Access Token
GET https://NUXEO_SERVER/oauth2/token
Query parameters:
| Name | Type | Description |
|---|---|---|
| grant_type | string |
REQUIRED. The value must be refresh_token for requesting an access token.
|
| refresh_token | string | REQUIRED. A Refresh Token bound to the same Client. |
| client_id | string | REQUIRED. Must be the same as previously sent to the Authorization endpoint. |
| client_secret | string | REQUIRED. Client's secret. |
Response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"H8dXDdEW9U2jJnFDh6lJJ74AHRzCyG4D",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"Amz8JlyglhGWDmYHMYS5EnTTFUFAwZLiHG4aqQDfkwUNunSMpTTSFUmvprX3WdSF",
}
Authentication Using an Access Token
Once you have a valid access token, you have to pass it in each requests as an Authorization header. Like below using curl:
curl -H "Authorization: Bearer gsQwO6X4zdOOegaR1EZEpRNJ2LK6J8d6" http://NUXEO_SERVER/nuxeo/nxdoc/default/d3db3184-c444-40a4-b838-dfde41ba06a4/view_documents