Official Docs can be found here
- Postgres
- Apache DBCP2 (Database Connection Pooling v2)
- Multi-Factor Authentication
- Time-based One Time Passwords (TOTP), e.g. Google Authenticator
- MongoDB authentication backend
- Customized login web flow prompts
- Login, Logout, One Time Password, Verification Key
- OAuth Application Approval
- Login from external form
Roadmap 4.1 OAuth Server Support
- Token Registry
- JPA
- Scope Managers
- Simple OAuth Scope Handler
- Open Science Framework Scope Handler (MongoDB)
- Tokens
- Client Side & Web Application Server Response Types
- Authorization Code
- Token
- Refresh Token Support
- Revoke Access Tokens & Refresh Tokens
- Personal Access Tokens (Optional)
- CAS Login Access Tokens (Optional)
- Client Side & Web Application Server Response Types
- Service Specific Attribute Release
- Delegated Ticket Expiration
- Access Token: 60 minutes
- Refresh Token: never-expire
- Application Integration & Maintenance Actions
- User Actions
- List Authorized Applications
- Revoke Application Tokens
- User Owned Applications & Stats
- Active User Count
- Revoke All Tokens
- User Actions
Provides the user's principal id, any released attributes and a list of granted scopes.
GET: /oauth2/profile
https://accounts.osf.io/oauth2/profile
Authorization: Bearer AT-1-...
{
"id": "unique-user-identifier",
"scope": ["user.email", "user.profile"]
}
Secure server authorization of scopes, will need to follow up with the Authorization Code exchange.
GET: /oauth2/authorize
https://accounts.osf.io/oauth2/authorize?client_id=gJgfkHAtz&redirect_uri=https%3A%2F%2Fmy-application%2Foauth%2Fcallback%2Fosf%2F&scope=user.profile%2Bwrite&state=FSyUOBgWiki_hyaBsa
Parameter | Value | Description |
---|---|---|
response_type | code | ... |
client_id | ... | ... |
redirect_uri | ... | ... |
scope | ... | ... |
state | ... | ... |
access_type | online / offline | ... |
approval_prompt | auto / force | ... |
https://my-application/oauth/callback/osf/?code=AC-1-3BfTHEimiGXAQPerA6Zq6cvOszjXAhzHLNQnVJhv3UPifgwVpn&state=FSyUOBgWiki_hyaBsa
Parameter | Value | Description |
---|---|---|
code | code | ... |
state | ... | ... |
GET: /oauth2/authorize
Allows client side javascript the ability to request specified scopes for authorization and directly return an Access Token.
https://accounts.osf.io/oauth2/authorize?response_type=token&client_id=gJgfkHAtz&redirect_uri=https%3A%2F%2Fmy-application%2Foauth%2Fcallback%2Fosf%2F&scope=user.profile%2Bwrite&state=FSyUOBgWiki_hyaBsa
Parameter | Value | Description |
---|---|---|
response_type | token | ... |
client_id | ... | ... |
redirect_uri | ... | ... |
scope | ... | ... |
state | ... | ... |
approval_prompt | auto / force | ... |
https://my-application/oauth/callback/osf/#access_token=AT-1-E9wpSxcUatFazdGtFFVO21i4exU9RypHbhcacgoktZ7TPUGGVf3KDuMq2RxGzKXZ6FO6if&expires_in=3600&token_type=Bearer&state=FSyUOBgWiki_hyaBsa
Parameter | Value | Description |
---|---|---|
access_token | ... | ... |
expires_in | ... | ... |
token_type | Bearer | ... |
state | ... | ... |
Exchange of an Authorization Code for an Access Token and potentially a Refresh Token if offline mode was specified.
POST: /oauth2/token
https://accounts.osf.io/oauth2/token
Parameter | Value | Description |
---|---|---|
code | ... | ... |
client_id | ... | ... |
client_secret | ... | ... |
redirect_uri | ... | ... |
grant_type | authorization_code | ... |
{
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token":"RT-1-SjLa4ReI4KxcxKzEj1TtIWMTEwcMY26pSy6SftrObikpsbtInb",
"access_token":"AT-1-adg7yMBUbyO4zSPVqFj2HZzOsTqNtJ5ebgk25y5UbTt4HV5W1EQ45b6PvpDtEABsaXXFBS"
}
Parameter | Value | Description |
---|---|---|
token_type | Bearer | ... |
expires_in | ... | ... |
refresh_token | ... | Included only when the authorization request was made with access_type offline. |
access_token | ... | ... |
An authorized offline application may obtain a new Access Token from this endpoint.
POST: /oauth2/token
https://accounts.osf.io/oauth2/token
Parameter | Value | Description |
---|---|---|
refresh_token | ... | ... |
client_id | ... | ... |
client_secret | ... | ... |
grant_type | refresh_token | ... |
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token":"AT-2-adg7yMBUbyO4zSPVqFj2HZzOsTqNtJ5ebgk25y5UbTt4HV5W1EQ45b6PvpDtEABsaXXFBS"
}
Parameter | Value | Description |
---|---|---|
token_type | Bearer | ... |
expires_in | ... | ... |
access_token | ... | ... |
Handles revocation of Refresh and Access Tokens.
POST: /oauth2/revoke
https://accounts.osf.io/oauth2/revoke
Parameter | Value | Description |
---|---|---|
token | ... | ... |
HTTP 204 NO CONTENT
e.g. user revokes application access
Revocation of all Tokens for a specified Client ID and the given token's Principal ID.
If the Access Token is of type CAS any valid Client ID can be specified, otherwise the Access Token may only revoke the Client ID it was generated with.
POST: /oauth2/revoke
https://accounts.osf.io/oauth2/revoke
Authorization: Bearer AT-1-...
Parameter | Value | Description |
---|---|---|
client_id | ... | ... |
HTTP 204 NO CONTENT
e.g. application administrator revokes all tokens
Revocation of all Tokens associated with the given Client ID.
POST: /oauth2/revoke
https://accounts.osf.io/oauth2/revoke
Parameter | Value | Description |
---|---|---|
client_id | ... | ... |
client_secret | ... | ... |
HTTP 204 NO CONTENT
e.g. list applications authorized to access the user's account
Gathers metadata regarding token's associated with the Principal ID specified.
The Access Token must be type CAS.
POST: /oauth2/metadata
https://accounts.osf.io/oauth2/metadata
Authorization: Bearer AT-1-...
[
{
"id": "gJgfkHAtz",
"name": "Application #1",
"description": "An simple oauth application",
"scope": [
"user.email",
"profile.basic"
]
},
{
"id": "Joiuhwkjsl",
"name": "Third Party Application #2",
"description": "An oauth application",
"scope": [
"nodes.create"
]
}
]
e.g. application information, user count, etc...
Provides metadata about the Client ID specified.
POST: /oauth2/metadata
https://accounts.osf.io/oauth2/metadata
Parameter | Value | Description |
---|---|---|
client_id | ... | ... |
client_secret | ... | ... |
{
"id": "gJgfkHAtz",
"name": "Application #1",
"description": "An simple oauth application",
"users": 9001
}
- Merging Service Registry Loader
- JSON Service Registry
- Open Science Framework Service Registry (MongoDB & OAuth)
- Startup Server Command
mvn -pl cas-server-webapp/ jetty:run
- Optimized for faster builds
If you have trouble building CAS via mvn clean install
, you may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
Jurisdiction Policy Files". Follow
these instructions to unpack
the zip file, back up existing policy files files, and install the new, stronger cryptography policy files.
- Request Throttling
- Jetty JPA Shared Sessions