Implement authenticated access for Public Clients (Implicit Code Grant)

[sebgie]

This belongs to the OAuth Epic: #4004 - please read this for the big picture of what this issue is for :)

---

In order to allow public clients to make authenticated requests to the Ghost API we need to implement the Implicit Code Grant (RFC 6749 4.2) flow:

• User initiates the authentication process from a JavaScript client running in a browser.
• JavaScript client redirects the user to the Ghost authentication endpoint using the following request.
  • response_type: 'token'
  • client_id: client_id generated by Ghost
  • state: random value to prevent csrf
  • redirect_uri: redirect uri must exactly match one of the values listed for this client
  • scope: tbd

GET /ghost/authorize?response_type=token&client_id=<client_id>&state=<random-value>
        &redirect_uri=<redirect_uri>

• Ghost verifies the validity of client_id and redirect_uri
• User authenticates with username and password
• Ghost redirects the user back to the client

Success redirect:

HTTP/1.1 302 Found
     Location: <redirect_uri>#access_token=<new-access-token>
               &state=<state-from-request>&token_type=<token-type>&expires_in=<ttl>

Error redirect:

HTTP/1.1 302 Found
   Location: <redirect_uri>#error=access_denied&state=<state-from-request>

• The client needs to validate the access_token and ensure that the state parameter matches the one sent to the server.
• The client can now access the Ghost API using the access token.

An example on how to implement the implicit code grant flow can be found at https://github.com/jaredhanson/oauth2orize.

[novaugust]

Is the error meant to still be a 302?

[javorszky]

As opposed to a 303?

[sebgie]

Is the error meant to still be a 302?

Yes, according to the RFC (http://tools.ietf.org/html/rfc6749#section-4.2.2) status code 302 is correct. The status code is used to redirect the browser rather than informing the user about a problem in this case.

As opposed to a 303?

303 See Other would mean that the result can be looked up under a different URI. The result is already sent with the response, the browser has to redirect back to the requesting JavaScript client which should then interpret the response.

[ErisDS]

I'm closing all OAuth and most API issues temporarily with the later label.

RE: OAuth, for the next 2-3 months we'll be implementing an official Ghost OAuth login system, providing global access to all Ghost blogs with a single login. We'll be opening issues around this system soon, and I don't want to cause confusion with OAuth for the API.

JSON API Overhaul & OAuth access are currently scheduled next on the roadmap