diff --git a/index.html b/index.html index fe3ebcc..e57c50b 100644 --- a/index.html +++ b/index.html @@ -143,543 +143,52 @@
-
-
-
-

OAuth3 Playground

-
- -
-
-

Go ahead, test our login

- -
-
- taking my sweet time to do something in the background... -
-
will be used as the login issuer
- - - - - - - - - -
-
- -
-
-
-
-
-
-
- -
-
- -
-
-

Debug & Status Info:

-
-
- -
-
-

JavaScript Framework

- (yes, real runs-in-a-web-browser - and even on Android - ES5.1) -
- (no framework) - - - -
- - - -
- - 
var OAUTH3 = require('oauth3.org');
- - 
<script src="/assets/oauth3.org/oauth3.core.js"></script>
-<script src="/assets/oauth3.org/oauth3.crypto.js"></script>
-<script src="/assets/oauth3.org/oauth3.issuer.js"></script>
-<script src="/assets/oauth3.org/oauth3.ng.js"></script>
-
-
-
- -
-
-
-
- Client URI: -
- (this is the URL of the application as per window.location.href) -
-
- - - - 
OAUTH3.clientUri({ host: "", port: null, pathname: '/' });
-
-
- -
-
-
-
- Subject: -
- (this is either the subject portion or whole address of subject@issuer) -
-
- - - - 
address:
- 
subject:
- 
issuer:
-
-
- -
-
-
-
- Issuer URI: -
- (this is the URL part of subject@issuer) -
-
- - -
-
- -
-
-
-
- Directives Discovery: -
- (this is how we learn if a server support oauth3 and to what extent) -
-
- - - 
OAUTH3.urls.discover("", opts);
-
- - 
OAUTH3.discover("", opts);
-
- - -
-
-
- -
-
-
-
- Scopes: -
- (these are used to lookup the descriptions of grant permissions) -
-
- - - -
    -
  • - - desc -
    • -
- - 
OAUTH3.urls.scope(directives, opts);
-
-
- - 
OAUTH3.discoverScopes(directives, opts);
- - -
-
-
- - -
-
-
-
- Authorization Dialog URL -
- (this is what opens the login dialog box with the checkboxes and such) -
-
- - - 
OAUTH3.urls.implicitGrant(directives, opts);
-
- - 
OAUTH3.implicitGrant(directives, opts);
- - -
-
-
- -
-
-
-
- Logout Dialog URL -
- (this is what opens the logout dialog) -
-
- - - 
OAUTH3.urls.logout(directives, opts);
-
- - 
OAUTH3.logout(directives, opts);
-
-
- -
-

1st Party and App Login

-
-
-
- Credential Meta URL -
- (Not implemented... anymore) -
- (this is the endpoint that reports if the user exists and what their proof-strategy is) -
-
- - - 
OAUTH3.authn.loginMeta(directives, { email: "" });
-
-
-
-
- -
-
-
-
- Credential OTP URL -
- (this is the URL that sends your one-time password via email) -
-
- - - 
OAUTH3.authn.otp(directives, { email: "" });
-
- 
 
-
-
-
- 

-
-
-
-
-
-
- -
-
-
-
- Resource Owner Password URL -
- (this is the URL that native apps and APIs use to login) -
- (it's also a bit of a misnomer, it should be *proof* rather than password) -
-
- - - -
- - - 
OAUTH3.authn.resourceOwnerPassword(directives, );
-
- 
 
-
-
-
-
-
-
- -
-
-
-
- Session -
- (this is the object that contains meta data about the session, including the access token itself) -
-
- - 

-
-
-
- -
-
- -
-
-
-
- Access Token -
- (this is the access token) -
-
- 
OAUTH3.jwt.decode(token);
- - - - - - - -
-
-
- - -
-
-
-
- Token Issuer's Public Key -
- (not implemented) -
- (this is the URL that inspects and verifies the token) -
-
- - - 
OAUTH3.authn.jwk(directives, token);
- -
- 
 
-
-
-
- 

-
-
-
- -
-
-
- -
-
-
-
- Verify JWT -
- (not implemented) -
- (ppids can be verified via the public key of the issuer) -
-
- - -
- - -
- - - 
OAUTH3.jwt.verify(token, jwk);
-
-
-
-
- -
-
-
-
- Exchange Opaque Token -
- (not implemented) -
- (Opaque tokens are issued serverside - like a traditional OAuth2 token - and do not contain a subject and, therefore, cannot identify a user directly. - They may be used by multiple audiences client-side, but must be exchanged by authorized parties for a ppid access token to verify identity serverside. - They can be refreshed without changing the JTI.) -
-
- - - - - 
OAUTH3.authz.exchange(directives, token);
-
- 
 
-
-
-
- 

-
-
-
-
-
-
- -
-
-
-
- Approved Apps -
- (these are the public keys generated on remember-me devices and the opaque tokens issued to remember-me-not devices) -
-
- -
- - 
OAUTH3.urls.grants(directives, opts);
- 
OAUTH3.authz.grants(directives, );
- -
- 
 
-
-
-
- 

-
-
-
-
- ... -
-
- -
-
- Approved Applications: -
-
- ... -
-
- -
-
- -
-
-
-
-
-
-
- -
-
-

Live API

- these are what's actually on the object - -
-
-
- -
-
-

Docs

- -

0. Include the Library - 

# Browsers
-  <script src="oauth3.core.js"></script>
-  var OAUTH3 = window.OAUTH3;
-
-  # Node.js
-  var OAUTH3 = require('oauth3.js').OAUTH3;
-
- -

1. Establish the Client ID by its URI - 

# Browsers
-  var clientUri = OAUTH3.clientUri(window.location); // example.com
-
-  # Node.js
-  var clientUri = OAUTH3.clientUri("https://example.com"); // example.com
-
- -

2. Provide promisable storage hooks for saving sessions and caching directives - 

OAUTH3._hooks = {
-    directives: {
-      get: function (providerUri) { ... }
-    , set: function (providerUri, directives) { ... }
-    , all: function () { ... }
-    , clear: function () { ... }
-  , sessions: {
-      get: function (providerUri, id) { ... }
-    , set: function (providerUri, newSession, id) { ... }
-    , all: function (providerUri) { ... }
-    , clear: function (providerUri) { ... }
-    }
-  };
-
- SECURITY: The default storage engine is window.sessionStorage. Session storage - should be used for app:// urls and localhost urls and other applications - in which the identity of the app is ephemeral, arbitrary, or not distinct. - -

3. Check to see if the user already has a session

- 
OAUTH3.hooks.session.get(providerUri).then(function (session) {
-    console.log('[DEBUG] session:');
-    console.log(session);
-  });
-  OAUTH3.hooks.session.all().then(function (sessions) {
-    console.log('[DEBUG] all sessions:');
-    console.log(sessions);
-  });
-
- Note: expired sessions should not be returned and stale sessions should be refreshed - -

4. Prompt the user for their address and perform the lookup to see if it - has a provider. - 

var providerUri = address.split('@')[1] || address;
-  var opts = { client_uri: clientUri };
-  OAUTH3.discover(providerUri, opts).then(function (dir) {
-    console.log('[DEBUG] directives:');
-    console.log(dir);
-  });
-
- -

4. - 


-
- -
+
+
+

OAuth3

+

A (mostly) client-side authentication and authorization framework for decentralized peer-to-peer and federated networks. +

+
+ Enter the OAuth3 Playground + +
+

Private, Peer-to-Peer, Anonymous: Pick any two... at a time

+
    +
  • Privacy +
  • Peer-to-Peer +
  • Anonymity +
+

OAuth3's federated design allows it to work in all 3 modes of decentralization: +

    +
  • Private, Peer-to-Peer (Trusted model) + + +
  • Private, Anonymous (Escrow / Broker model) + + +
  • Peer-to-Peer, Anonymous (Public Ledger model) + +
+

Authentication, simplified

+
    +
  • A single implementation +
  • No developer keys (uses tls authentication) +
  • Smart scope discovery +
@@ -695,10 +204,5 @@ - - - - - diff --git a/js/playground.js b/js/playground.js index 00b231a..1d51d5d 100644 --- a/js/playground.js +++ b/js/playground.js @@ -27,7 +27,7 @@ var vm = this; vm.framework = 'none'; - vm.clientUri = OAUTH3.clientUri(window.location); + vm.clientUri = OAUTH3.clientUri({ host: window.location.host }); vm.conf = { debug: undefined, client_id: vm.clientUri, client_uri: vm.clientUri, provider_uri: vm.clientUri }; vm.providerUri = vm.conf.client_uri; // map of things being debounced presently diff --git a/playground.html b/playground.html new file mode 100644 index 0000000..5e883fe --- /dev/null +++ b/playground.html @@ -0,0 +1,585 @@ + + + + + + Login Facilitator: OAuth3.org + + + + + + + + + +
+
+
+
+

OAuth3 Playground

+
+ +
+
+

Go ahead, test our login

+ +
+
+ taking my sweet time to do something in the background... +
+
will be used as the login issuer
+ + + + + + + + + +
+
+ +
+
+
+
+
+
+
+ +
+
+

Debug & Status Info:

+
+
+ +
+
+

JavaScript Framework

+ (yes, real runs-in-a-web-browser - and even on Android - ES5.1) +
+ (no framework) + + + +
+ + + +
+ + 
var OAUTH3 = require('oauth3.org');
+ + 
<script src="/assets/oauth3.org/oauth3.core.js"></script>
+<script src="/assets/oauth3.org/oauth3.crypto.js"></script>
+<script src="/assets/oauth3.org/oauth3.issuer.js"></script>
+<script src="/assets/oauth3.org/oauth3.ng.js"></script>
+
+
+
+ +
+
+
+
+ Client URI: +
+ (this is the URL of the application as per window.location.href) +
+
+ + + + 
OAUTH3.clientUri({ host: "", port: null, pathname: '/' });
+
+
+ +
+
+
+
+ Subject: +
+ (this is either the subject portion or whole address of subject@issuer) +
+
+ + + + 
address:
+ 
subject:
+ 
issuer:
+
+
+ +
+
+
+
+ Issuer URI: +
+ (this is the URL part of subject@issuer) +
+
+ + +
+
+ +
+
+
+
+ Directives Discovery: +
+ (this is how we learn if a server support oauth3 and to what extent) +
+
+ + + 
OAUTH3.urls.discover("", opts);
+
+ + 
OAUTH3.discover("", opts);
+
+ + +
+
+
+ +
+
+
+
+ Scopes: +
+ (these are used to lookup the descriptions of grant permissions) +
+
+ + + +
    +
  • + + desc +
    • +
+ + 
OAUTH3.urls.scope(directives, opts);
+
+
+ + 
OAUTH3.discoverScopes(directives, opts);
+ + +
+
+
+ + +
+
+
+
+ Authorization Dialog URL +
+ (this is what opens the login dialog box with the checkboxes and such) +
+
+ + + 
OAUTH3.urls.implicitGrant(directives, opts);
+
+ + 
OAUTH3.implicitGrant(directives, opts);
+ + +
+
+
+ +
+
+
+
+ Refresh Token URL +
+ (This is the URL of the iFrame that completes token refreshes. And it occurs over iFrame rather than API so that no server is required.) +
+
+ + + 
OAUTH3.urls.refreshToken(directives, opts);
+
+ + 
OAUTH3.refreshToken(directives, opts);
+
+
+ +
+
+
+
+ Logout Dialog URL +
+ (this is what opens the logout dialog) +
+
+ + + 
OAUTH3.urls.logout(directives, opts);
+
+ + 
OAUTH3.logout(directives, opts);
+
+
+ +
+

1st Party and App Login

+
+
+
+ Credential Meta URL +
+ (Not implemented... anymore) +
+ (this is the endpoint that reports if the user exists and what their proof-strategy is) +
+
+ + + 
OAUTH3.authn.loginMeta(directives, { email: "" });
+
+
+
+
+ +
+
+
+
+ Credential OTP URL +
+ (this is the URL that sends your one-time password via email) +
+
+ + + 
OAUTH3.authn.otp(directives, { email: "" });
+
+ 
 
+
+
+
+ 

+
+
+
+
+
+
+ +
+
+
+
+ Resource Owner Password URL +
+ (this is the URL that native apps and APIs use to login) +
+ (it's also a bit of a misnomer, it should be *proof* rather than password) +
+
+ + + +
+ + + 
OAUTH3.urls.resourceOwnerPassword(directives, opts);
+
+ 
 
+
+
+
+
+ + 
OAUTH3.authn.resourceOwnerPassword(directives, );
+
+
+ +
+
+
+
+ Session +
+ (this is the object that contains meta data about the session, including the access token itself) +
+
+ + 

+
+
+
+ +
+
+ +
+
+
+
+ Access Token +
+ (this is the access token) +
+
+ 
OAUTH3.jwt.decode(token);
+ + + + + + + +
+
+
+ + +
+
+
+
+ Token Issuer's Public Key +
+ (not implemented) +
+ (this is the URL that inspects and verifies the token) +
+
+ + + 
OAUTH3.authn.jwk(directives, token);
+ +
+ 
 
+
+
+
+ 

+
+
+
+ +
+
+
+ +
+
+
+
+ Verify JWT +
+ (not implemented) +
+ (ppids can be verified via the public key of the issuer) +
+
+ + +
+ + +
+ + + 
OAUTH3.jwt.verify(token, jwk);
+
+
+
+ +
+
+
+
+ Exchange Opaque Token +
+ (not implemented) +
+ (Opaque tokens are issued serverside - like a traditional OAuth2 token - and do not contain a subject and, therefore, cannot identify a user directly. + They may be used by multiple audiences client-side, but must be exchanged by authorized parties for a ppid access token to verify identity serverside. + They can be refreshed without changing the JTI.) +
+
+ + + + + 
OAUTH3.authz.exchange(directives, token);
+
+ 
 
+
+
+
+ 

+
+
+
+
+
+
+ +
+
+
+
+ Approved Apps +
+ (these are the public keys generated on remember-me devices and the opaque tokens issued to remember-me-not devices) +
+
+ +
+ + 
OAUTH3.urls.grants(directives, opts);
+ 
OAUTH3.authz.grants(directives, );
+ +
+ 
 
+
+
+
+ 

+
+
+
+
+ ... +
+
+ +
+
+ Approved Applications: +
+
+ ... +
+
+ + +
+
+
+
+
+
+
+ +
+
+

Live API

+ these are what's actually on the object + +
+
+
+ +
+
+

Docs

+ +

0. Include the Library + 

# Browsers
+  <script src="oauth3.core.js"></script>
+  var OAUTH3 = window.OAUTH3;
+
+  # Node.js
+  var OAUTH3 = require('oauth3.js').OAUTH3;
+
+ +

1. Establish the Client ID by its URI + 

# Browsers
+  var clientUri = OAUTH3.clientUri(window.location); // example.com
+
+  # Node.js
+  var clientUri = OAUTH3.clientUri("https://example.com"); // example.com
+
+ +

2. Provide promisable storage hooks for saving sessions and caching directives + 

OAUTH3._hooks = {
+    directives: {
+      get: function (providerUri) { ... }
+    , set: function (providerUri, directives) { ... }
+    , all: function () { ... }
+    , clear: function () { ... }
+  , sessions: {
+      get: function (providerUri, id) { ... }
+    , set: function (providerUri, newSession, id) { ... }
+    , all: function (providerUri) { ... }
+    , clear: function (providerUri) { ... }
+    }
+  };
+
+ SECURITY: The default storage engine is window.sessionStorage. Session storage + should be used for app:// urls and localhost urls and other applications + in which the identity of the app is ephemeral, arbitrary, or not distinct. + +

3. Check to see if the user already has a session

+ 
OAUTH3.hooks.session.get(providerUri).then(function (session) {
+    console.log('[DEBUG] session:');
+    console.log(session);
+  });
+  OAUTH3.hooks.session.all().then(function (sessions) {
+    console.log('[DEBUG] all sessions:');
+    console.log(sessions);
+  });
+
+ Note: expired sessions should not be returned and stale sessions should be refreshed + +

4. Prompt the user for their address and perform the lookup to see if it + has a provider. + 

var providerUri = address.split('@')[1] || address;
+  var opts = { client_uri: clientUri };
+  OAUTH3.discover(providerUri, opts).then(function (dir) {
+    console.log('[DEBUG] directives:');
+    console.log(dir);
+  });
+
+ +

4. + 


+
+ +
+
+ +
+
+
+ + + + + + + + + + + + + + +