This adds an OAuth2 server to your IPS Community Suite 4. This allows external applications to authenticate and authorize against your IPS4 membership.
Administrators looking to integrate external applications with their IPS4 site via OAuth2 will need to register those applications with the IPS4 Admin Control Panel (ACP).
- Download the latest version of OAuth2 Server for IPS4 from the Invision Power Marketplace.
- Unzip the archive and locate the
oauth2server.tar
file. - Navigate to your site's Application list (ACP > System > Site Features > Applications).
- Click the Install button and upload the
oauth2server.tar
file.
- Visit the settings panel under ACP > Community > OAuth2 Server > Applications.
- Click the Add Application button.
- Enter your application's name and its Redirect URI. The Redirect URI is typically found in your application's OAuth settings or documentation. Be sure to match whether it is SSL-enabled or not (http:// vs. https://).
- Click Save.
- Select the user groups you wish to be able to authenticate and authorize
- At the list of Applications, click on the Edit pencil.
- Take note of the application's Client ID, Client Secret, and Authorization, Access Token, and Profile URLs. Your application will need all of these values to complete its OAuth configuration. Be sure to match whether your IPS4 installation is SSL-enabled or not (http:// vs. https://).
The following applications have been tested against the OAuth Server for IPS4 integration:
- Rocket.Chat (May 2016)
OAuth2 integration is a 4 step process.
GET http(s)://ipboard/applications/oauth2server/interface/oauth/authorize.php?...
Name | Type | Description |
---|---|---|
client_id |
string |
Required. The client ID generated when creating the application in AdminCP. |
redirect_uri |
string |
Required. The URL in your app where users will be sent after authorization. |
state |
string |
Required. An unguessable random string. It is used to protect against cross-site request forgery attacks. |
response_type |
string |
Required. Value is typically code . |
scope |
string |
Optional. Value is a space (%2C ) delimited list of requested scopes. Currently supported scopes: user.profile , user.email , user.groups , user.reputation . |
If the user is not logged into IPS4, they will be presented with a login screen. If this is the first time that the user has accessed the OAuth integration from this application, they will be presented with a simple form to authorize the integration (with Yes/No buttons).
Assuming the user picks Yes in the authorization form (or has previously done so), IPS4 will redirect to the Application's Redirect URI, with a temporary code in the code
parameter and a copy of the state
parameter previously provided. The application should check the state
parameter to match; if it does not, the request may have been created by a malicious third party and the process should be aborted.
POST http(s)://ipboard/applications/oauth2server/interface/oauth/token.php
Name | Type | Description |
---|---|---|
grant_type |
string |
Required. Typical value is authorization_code . |
client_id |
string |
Required. The client ID generated when creating the application in the IPS4 AdminCP. |
client_secret |
string |
Required. The client secret generated when creating the application in the IPS4 AdminCP. |
redirect_uri |
string |
The URL in your app where users will be sent after authorization. |
code |
string |
Required. The code you received as a response in Step 2, above. |
{
"access_token": "abcdefabcdefabcdefabcdefabcdefabcdefabc",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "user.profile user.email",
"refresh_token": "123456123456123456123456123456123456123"
}
GET http(s)://ipboard/applications/oauth2server/interface/oauth/me.php?...
Name | Type | Description |
---|---|---|
access_token |
string |
Required. The access token provided in Step 3 above. |
Note that you can also pass the token in the HTTP Authorization header, e.g.:
Authorization: Bearer <access_token>
For example, this can be done in curl as follows:
curl -H "Authorization: Bearer <access_token>" https://ipboard/applications/oauth2server/interface/oauth/me.php
{
"id": 44,
"username": "wohali",
"displayName": "wohali",
"email": "[email protected]",
"profileUrl": "https:\/\/ipboard\/profile\/44-wohali\/",
"avatar": "https:\/\/ipboard\/uploads\/profile\/photo-thumb-44.png"
}
- OAuth2 Server for IP.Board 3 by freezy.
- OAuth 2.0 Server for PHP, an excellent OAuth2 library in PHP
GPLv2. See LICENSE.