OpenESPI-DataCustodian-java icon indicating copy to clipboard operation
OpenESPI-DataCustodian-java copied to clipboard
verified publisher icon GreenButtonAlliance

Multiple authorizations to same third-party for different usage point.

Open janad-lh opened this issue 11 years ago • 10 comments

support of multiple authorizations to same third-party for different usage point. Currently, during second authorization to another usage points returns previous authorization details instead of creating new authorization. As the Oauth scope string same for both cases, spring ouath layer returning the existing valid authorization details.

janad-lh avatar Aug 26 '14 20:08 janad-lh

This is a basic feature of the Spring Security OAuth framework. Access tokens are granted based on clientId, Secret and Scope. Therefore, if multiple access tokens are requested with identical clientId, Secret and Scope, the framework re-issues the existing access token. In order to obtain unique access tokens then the Scope string must be different.

dfcoffin avatar Aug 26 '14 21:08 dfcoffin

How can we make the scope dynamic for normal authorization.

Requested scope needs to be subset of scope define in oauth client details. Scope in oauth client details needs to be generic and would be not specific to any customer. Also, programmatic cannot change the scope boundary.

janad-lh avatar Aug 26 '14 21:08 janad-lh

The currently defined Scope configuration for OpenESPI Spring Security Oauth framework requires the Scope to match pre-assigned Scope strings character-by-character.

The requirement you have presented is an enhancement to the currently deployed software. Is this required for the London Hydro deployment or can it be made a 1.3 Milestone feature?

dfcoffin avatar Aug 26 '14 22:08 dfcoffin

Can you provide a list of the various Scope string values that you are attempting to utilize in order to obtain unique access tokens for different usage points? A Use Case would be very beneficial.

dfcoffin avatar Aug 26 '14 23:08 dfcoffin

In our implementation we have single scope oauth client details: FB=4_5_15;IntervalDuration=3600;BlockDuration=daily;HistoryLength=13 User has three usage points e.g. UP#1, UP#2, UP#3. Our objective is authorize usage point individually. We can can successfully perform authorization for UP#1 with TP#1 , result AUTH#1. When we tired to authorize UP#2 to TP#1, Spring OAuth returning AUTH#1 as scope string in both cases same "FB=4_5_15;IntervalDuration=3600;BlockDuration=daily;HistoryLength=13"

janad-lh avatar Aug 27 '14 13:08 janad-lh

What grant_type are you using to request the OAuth access token? Is it a grant_type of "code" or "client_credentials"? If grant_type is "code" is it the same user on the Third Party application requesting the access token for UP#1 and UP#2?

Do you have a Wireshark capture file for the two attempts?

dfcoffin avatar Aug 27 '14 18:08 dfcoffin

grant type is authorization_code. Yes, As UP#1 and UP#2 belongs to same customer so from third party side same user is requesting the authorization.

janad-lh avatar Aug 27 '14 18:08 janad-lh

In that case, the Spring Security OAuth framework views the second request as an identical request as the first and therefore re-issues the same access token for the second request. Since the second request is from the same user as the first and uses the same Scope string, the Spring Security Framework cannot differentiate that you are attempting to isolate UP#1, UP#2 and UP#3 to unique access tokens.

The single access token grants the Third Party access to all of a user's Usage Points. Therefore to access a single Usage Point they need to indicate in the GET RESTful API the specific Usage Point they are interested in by using the following API:

GET https://sandbox.greenbuttonalliance.org:8443/DataCustodian/espi/1_1/resource/UsagePoint/{usagePointId}

dfcoffin avatar Aug 27 '14 19:08 dfcoffin

Don,

is it not possible to relate the actual resource(s) to the access flow? so you could allow discrimination of the type Dibyendu is describing? We could accomplish this by:

  1. extending the current scope string to have an optional resourceUri(similar to the way google handles scope)

and

  1. insuring that the resourceUri (currently in the Authorization resource) correctly reflects that optional extension in #1 above.

jt

On Wed, Aug 27, 2014 at 1:35 PM, Donald F Coffin [email protected] wrote:

In that case, the Spring Security OAuth framework views the second request as an identical request as the first and therefore re-issues the same access token for the second request. Since the second request is from the same user as the first and uses the same Scope string, the Spring Security Framework cannot differentiate that you are attempting to isolate UP#1, UP#2 and UP#3 to unique access tokens.

The single access token grants the Third Party access to all of a user's Usage Points. Therefore to access a single Usage Point they need to indicate in the GET RESTful API the specific Usage Point they are interested in by using the following API:

GET https://services.greenbuttondata.org/DataCustodian/espi/1_1/resource/UsagePoint/{usagePointId}

— Reply to this email directly or view it on GitHub https://github.com/energyos/OpenESPI-DataCustodian-java/issues/171#issuecomment-53628036 .

jateeter avatar Aug 27 '14 21:08 jateeter

Unfortunately, the Spring Security OAuth framework uses a scope evaluation process which requires a scope string to match character-by-character one of the allowed scope strings. Therefore there are two issues with your proposal:

  1. London Hydro only wants a single scope string definition
  2. Multiple scope strings would need to be defined with each string referencing a specific resourceURI for which the Third Party is attempting to obtain an access token. Thus, the resourceURI is cannot be optional nor will a generic resourceURI (e.g. {usagePointId}) be acceptable.

dfcoffin avatar Aug 27 '14 22:08 dfcoffin