Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 example does not work #873

Closed
ms499 opened this issue Nov 18, 2022 · 7 comments
Closed

OAuth2 example does not work #873

ms499 opened this issue Nov 18, 2022 · 7 comments
Assignees
Labels
binding-http Issues related to http protocol binding bug Something isn't working core Issues with the core library examples Issues related examples in the repository

Comments

@ms499
Copy link

ms499 commented Nov 18, 2022

With @egekorkan I have discussed this issue. I tried to run the example oauth code provided. I have not changed any code and simply followed the instruction mentioned in the Readme.md file but nothing was getting printed when I ran the consumer.js file. Then I enabled the debug level so that the exposer.js can print the log and I saw the following error:
'node-wot:cli:cli:error WoT-Servient cannot start. Error: Servient does not support thing security schemes. Current scheme supported: OAuth secCandidate'

https://github.com/eclipse/thingweb.node-wot/tree/master/examples/security/oauth

@danielpeintner
Copy link
Member

@relu91 relu91 added bug Something isn't working examples Issues related examples in the repository labels Jan 9, 2023
@relu91 relu91 self-assigned this Jan 9, 2023
@relu91
Copy link
Member

relu91 commented Jan 18, 2023

As mentioned above the source of this issue is coming from the ExposedThingInit, but that's not the whole story. The problem is that HttpsServer currently supports only one scheme at a time. Therefore, the CLI cannot expose its base Servient thing because it wants it to use the no_sec security scheme.

@relu91 relu91 added binding-http Issues related to http protocol binding core Issues with the core library labels Jan 18, 2023
@relu91
Copy link
Member

relu91 commented Jan 18, 2023

@danielpeintner @egekorkan @sebastiankb should HTTPServer support multiple security schemes at once?

@danielpeintner
Copy link
Member

Mhh, good question. I can see use-cases where an HTTP server might be allowing multiple security schemes but I do not know the consequences w.r.t. implementation 🤔

@egekorkan
Copy link
Member

I do not have a very good answer but an answer at least:

  • It should be able to it can support the features (combo sec) of the TD. We do not have to support all features though.
  • Support on the client side is needed in order to consume TDs such as https://github.com/w3c/wot-testing/blob/main/data/input_2022/TD/philips-hue/TDs/tum-light1.td.jsonld
  • A use case I can think of is related to the TD example above. That one exists because we have a simple HTTPS proxy that changes only the domain name of the local device with a public domain name (and adds basic auth). Since hue devices use API Key in the URL as a security scheme, those URIs are still visible in the public TD. If someone wants to do exactly this where the proxy is done with node-wot, that proxy's HTTP server needs to support two security schemes. This is an AND relationship (allOf in comboSec). This is bad practice all over but a possibility.
  • A more likely use case if I want to have a TD where local IP address forms use nosec and the public IP address forms use basic auth. This is an OR relationship (oneOf in combo sec).

Summary of my thoughts would be to classify this feature as a nice-to-have but the original issue should be fixed.

@relu91
Copy link
Member

relu91 commented Aug 3, 2023

As mentioned above the source of this issue is coming from the ExposedThingInit, but that's not the whole story. The problem is that HttpsServer currently supports only one scheme at a time. Therefore, the CLI cannot expose its base Servient thing because it wants it to use the no_sec security scheme.

Linking my comment to a previous issue #204. Basically this is another reason why we should support multiple security schemes -> different web things might need different security mechanisms.

relu91 added a commit to relu91/thingweb.node-wot that referenced this issue Sep 5, 2023
Note that this means that the server is able to expose Things with different
security requirements. For example, it is possibile to now have a Thing
with `nosec` security scheme and one with `basic` security scheme. As a
side effect, the OAuth example now works as explained in eclipse-thingweb#873.

Fix eclipse-thingweb#204 eclipse-thingweb#873
danielpeintner pushed a commit that referenced this issue Sep 8, 2023
* feat(http-binding): add supports for multiple security schemes

Note that this means that the server is able to expose Things with different
security requirements. For example, it is possibile to now have a Thing
with `nosec` security scheme and one with `basic` security scheme. As a
side effect, the OAuth example now works as explained in #873.

Fix #204 #873

* refactor(binding-http/http-server): rename supportedSecuritySchemes

* refactor(binding-http/routes/common): rename utility functions

* fix(binding-http/routers): handle cors for no-thing paths

* fixup! fix(binding-http/routers): handle cors for no-thing paths
@danielpeintner
Copy link
Member

fixed by #1070

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
binding-http Issues related to http protocol binding bug Something isn't working core Issues with the core library examples Issues related examples in the repository
Projects
None yet
Development

No branches or pull requests

4 participants