OAuth Overview
GoCD implements the OAuth protocol to authorize third party application's (client's) request to access data on the GoCD server.
What is OAuth?
OAuth is an open-source specification for building a framework for allowing a third-party app (the “client”) to access protected resources from another application (the “provider,” or “resource owner”) at the request of a “user” of the client app. Oauth allows the user to enter his user credentials (ex. username and password) only to the provider app, which then grants the client app permission to view the protected resources on behalf of the user.
Common terms:
- Provider/Resource Owner – the app that hosts the protected resource. An example is Twitter which uses OAuth as the protocol for all its clients. In the context of this document, GoCD is the provider/resource owner.
- Client – the app that requests to see the resource data on behalf of the user. Any Twitter client that shows tweets is an example of this.
- User/end user – the entity who initiates the OAuth flow to allow the client to access protected data from the provider.
- Client id/client secret – Often, provider apps will maintain a list of clients that are allowed to access their data. Client apps can be identified in a number of ways, including with an id and a secret.
OAuth Authorization Workflow
An overview of the basic OAuth workflow can be found at Beginner's guide to OAuth.
Manage OAuth Clients
Create a new OAuth client
Before any third-party application can use GoCD using OAuth, it needs to be registered in Go as an OAuth client.
- Login as an administrator to GoCD.
- Navigate to the Admin page , then the OAuth Clients tab.
- Click the New OAuth Client button.
- Fill in the Name and Redirect URL for the third-party application. The redirect URL is where Go will send the end-user to once the authorization process is complete.
- You'll be presented with a summary of the newly registered application. Use the provided Client ID and Secret in the third-party application to enable OAuth communications with GoCD.
Edit an existing OAuth client
If you've already registered an OAuth Client, but want to change its name or redirect URL, here's how:
- Login as an administrator to GoCD.
- Navigate to the Admin page , then the OAuth Clients tab.
- Locate the Client you want to modify and click the Edit link next to it.
- Edit the necessary fields and click the Update button to save your changes.
Delete an existing OAuth client
If you want to un-register/delete an OAuth Client (prevent it from accessing GoCD via OAuth), here's how:
- Login as an administrator to GoCD.
- Navigate to the Admin page , then the OAuth Clients tab.
- Locate the Client you want to delete and click the Destroy link next to it.
- Confirm the deletion in the popup box.
Request for authorization code
Your client needs to contact GoCD server for an authorization code using the client Id and client secret. GoCD verifies that the requesting application has been registered with it.
Send a request to: https://your-go-server.com:8154/oauth/authorize with the following query parameters:
Query Parameter | Description |
---|---|
client_id | (required) The client identifier for your application. |
redirect_uri | (required) URL where the user should be redirected to after access to the service is granted. This uri can also include url-encoded query parameters |
response_type | (required) The type of response. Should always be 'code' in this case |
Example Request:
https://www.your-go-server.com:8154/oauth/authorize?redirect_uri=http://www.my_redirect_uri.com&client_id=ac212ddea07c6ac009d26de8090f5918f73ae648dc3676b1f00aeeae4fca67e1&response_type=code
If you type the above request on a browser, you should see a form asking you to authorize the client to access the host application on your behalf. Check the check box and submit.
Your browser is redirected to your redirect URI and you should now see your authorization code as the “code” parameter. Save this code, you will need it for the next step.
Example Response:
http://www.my_redirect_uri.com?code=26a7dea5e7e121be5ad5832a4a5b09d505c234c7625de3f375971264688bdb51
Get access token
For this step you’ll need to send a POST request to /oauth/token with the following key/value pairs as form data:
Form Data Parameter | Description |
---|---|
code | (required) This is the authorization code that you got from the previous step. |
grant_type | (required) Should be 'authorization-code' for this request. |
client_id | (required) The client identifier for your application. |
client_secret | (required) The client secret for your application. |
redirect_uri | (required) URL where the user should be redirected to after access to the service is granted. This uri can also include url-encoded query parameters |
Example Request (in curl) :
curl https://www.your-go-server:8154/go/oauth/token -d "code=26a7dea5e7e121be5ad5832a4a5b09d505c234c7625de3f375971264688bdb51&grant_type=authorization-code&client_id=ac212ddea07c6ac009d26de8090f5918f73ae648dc3676b1f00aeeae4fca67e1&client_secret=d1b54df502f162108a6136ec584dc637a7ad5578832a5db364e0d7b47657c718&redirect_uri=www.my_redirect_uri.com" -v
The response to the above POST request will be a JSON containing your access token, and its expiration time in seconds
Example Response:
{:access_token => f180f7bb68d38531aac2f49e5b0cac0c5ed5ced9b72842a429e783747e819664, :expires_in => 3529, :refresh_token => e1n54df802f162108a6336ec584dc637a7ad5578832a5db364e0d7b47657c875}
Use the access token
Now you are ready to query data from the GoCD server.
Example Request:
curl -H 'Authorization: Token token="f180f7bb68d38531aac2f49e5b0cac0c5ed5ced9b72842a429e783747e819664"' https://www.your-go-server.com:8154/go/cctray.xml