| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
-Edited section titles
-Moved external links such as RFCs to \externalpage
-Edited for language style
-Checked for QDoc warnings and errors
-Added alt-text to images
Task-number: QTBUG-135353
Pick-to: 6.9 6.10
Change-Id: I509d9e8c94fd968639f2c4eeb2bbbbd359331695
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most cpp files in this module are security critical, as
this module implements network interfacing authorization
protocols.
Headers in this module are not marked as they are
trivial.
Fixes: QTBUG-135564
Pick-to: 6.9 6.8
Change-Id: I97d8079296a98099955d3fe63434279599911a5e
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A FullyEncoded URL is US-ASCII-only, so use the faster toLatin1(),
and make sure it's called on an rvalue.
(Called on an unshared rvalue QString, fromLatin1() is guaranteed to
re-use the internal buffer without reallocation; unlike toUtf8(),
which always has to stay prepared for a reallocation, in case a
UTF-16 code unit (2 bytes) requires three UTF-8 ones (three bytes)).
Amends a6dc1c01da723a93e1c174a6950eb4bab8cab3fc and
155624c3772b86145d8d84dbca87ab85e8c9c571.
Pick-to: 6.9 6.8
Change-Id: I1e61500e23aada3fa9270f7f38148831cd59ce62
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to preserve the behavior of QAbstractOAuth2::scope vis-a-vis
Qt 6.8, remember which of the scope/requestedScopeTokens proeprties
the requested scope came in. If it was the legacy scope, then use that
unchanged, like in Qt 6.8. If it was the new property, build a scope
from the requestedScopeTokens.
This only significant in two cases:
- If the user is interacting with a server that wrongfully assigns
meaning to the order of scope-tokens in a scope. Routing
scope-tokens through QSet could then cause the server to
malfunction.
- If the user passed (and/or the server expected) invalid characters
in scope-tokens, and those characters were outside the L1 range,
then they would have been encoded as UTF-8 in 6.8 and are not
representable in requestedScopeTokens (they're not L1 and when
putting them in as UTF-8-encoded, we'll produce mojibake).
Keeping the old behavior for the legacy scope property allows users to
continue development while they argue their case in a bug report
against the new property.
Move the legacyScope member around to avoid padding holes with the new
bool property.
Pick-to: 6.9
Change-Id: Ic3a7d485990608ea4f48327e69f9b35accbb2cbf
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This better reflects the scope (token) semantics:
- Token order doesn't matter
- Duplicate tokens don't make sense
- Character encoding is limited to ASCII (albeit there might be
proprietary authorization servers not adhering to this)
Resulted from API-review.
Amends: 571b71763c0485778623139359acc88985099efb
Task-number: QTBUG-132710
Pick-to: 6.9
Change-Id: I781a707fcb3e2f06309e7ea57c5b05203afce03a
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a prequel commit for changing their type from QStringList
to QSet<QByteArray>, each member of the set representing a scope token.
Resulted from API-review.
Amends: 571b71763c0485778623139359acc88985099efb
Task-number: QTBUG-132710
Pick-to: 6.9
Change-Id: I9d97ddfb66caba13434a460e021356911ed72f6c
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This makes it clear that the result is Base-64 encoded, therefore
ASCII, and that fromUtf8() is not needed. Consequently, remove one
fromUtf8() called on its result, and replace it with fromLatin1().
Amends 90d5571d02887a8f61ec767699bb05c76c437153.
Pick-to: 6.9 6.8 6.5
Change-Id: Ie95d6b4b5fecaa089fd00ab7ee617567d00b381c
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
The docs were still wrapped in QT_REMOVAL_QT7_DEPRECATED_SINCE(6, 13),
while the property itself was QT_DEPRECATED_SINCE'ed.
Amends c14c6db0df256acafd8e1f0dda185f27510f11e6.
Pick-to: 6.9
Change-Id: I6495943cd6149e6c7e83a97572475db8f7128814
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Qt 6.9 introduces common baseclass method, refreshTokens() whose
implementation can be overridden by classes. Marking the
refreshAccessToken() as deprecated, and not automatically removing it,
is adequate and minimizes user impact.
Found in API review.
Amends 2b1e3419c5ef43e964f40dbe79d7a7da0de5aa57
Pick-to: 6.9
Change-Id: I67fa85a4225500d5fc0fcb882e3fc90a5c63913f
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows having a common baseclass method for refreshing
tokens already in Qt 6. This should minimize the user impact
of removing the leaf class "refreshAccessToken()" function
in Qt 7.
Furthermore this simplifies the automatic token refresh
implementation, which is implemented at the common baseclass
level; the implementation can inokve/call the refreshTokens()
directly, as opposed to the leaf class connecting to the
accessTokenAboutToExpire() signal.
Lastly this allows removing the (new in Qt 6.9)
"QOAuth2DeviceAuthorizationFlow::refresAccessTokens()"
function which would have been replaced in Qt 7.
Found in API review.
Amends 2b1e3419c5ef43e964f40dbe79d7a7da0de5aa57
Pick-to: 6.9
Change-Id: I3ad94486543bdcb5ef5a7afd41f9cbb249ac92fb
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The module cannot be built without HTTP support, so each and every file
had an `#ifndef QT_NO_HTTP` check.
However, commit d49f744968a237b751f0e520f8a9fff59dc283f5 already
disabled the module build at the toplevel CMakeLists.txt file if the
relevant feature is not found.
As a result, we can drop the checks from the private headers and
the .cpp files and also remove the QtNetwork/qtnetwork-config.h includes
that were added in order to provide access to QT_NO_HTTP definition.
This patch still keeps the QT_NO_HTTP check on public headers, because
it allows the user code like:
#include <QOAuth1> // unconditionally
...
#ifndef QT_NO_HTTP
QOAuth1 oauth;
// use oauth
#endif // QT_NO_HTTP
Pick-to: 6.9 6.8 6.5
Change-Id: I517aa1da90ed53a5fc013d28530aa1d41a946a79
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The property can be kept forever, simply delegating to the property of
the base class.
Amends 90c7e3df75a901420f70389d16a6ebd53d6332be.
Found in Qt 6.9 API review.
Pick-to: 6.9
Change-Id: I75f8b1843158da0af091e290be3d5748351ed7b4
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Amends 8e5e1012f9a9a9f01a12f631a3ed34570b6a4c5c which only cleaned up
the public headers.
Task-number: QTBUG-115841
Pick-to: 6.9 6.8
Change-Id: I16399e3ced49b91134e68c351f190720f88c3044
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The base class already contains all properties and signals related to
access token refreshing. However, we can not add a new virtual slot
during Qt 6 lifetime.
This patch pre-programs the addition of this slot to Qt 7 and adjusts
the refresh token logic to call the new slot directly from the base
class. This eliminates the need to manually implement auto-refresh
logic in the derived classes.
The name of the new slot is different from the pre-existing slots in
the derived classes, so this patch also pre-programs the renaming
of the relevant slots.
The patch also pre-programs documentation changes by providing Qt 7
versions of the relevant docs.
Picking this change to 6.9 to minimize the amount of merge conflict
resolutions.
Task-number: QTBUG-132106
Pick-to: 6.9
Change-Id: I453e9aae096abbfddcb8076f808d4a055850f7e0
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... and schedule it for removal in Qt 7.
Update most of the unit-test to use the new property, leaving just some
of them with a conditional check, to make sure that the old API is
still tested.
[ChangeLog][QOAuth2AuthorizationCodeFlow] Deprecated accessTokenUrl
property and scheduled it for removal in Qt 7. Use
QAbstractOAuth2::tokenUrl instead.
Task-number: QTBUG-132106
Pick-to: 6.9
Change-Id: I0bbb32854380268f8b7226859911b6fc3bd9289e
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The property is common for both authorization code and device flows, so
it makes sense to move it to the base class. And more broadly speaking,
most OAuth2 flows use a token endpoint.
One problem is that QOAuth2AuthorizationCodeFlow already has an
accessTokenUrl property which is used for the same purpose. This patch
implements this property in termes of the base tokenUrl property. The
follow-up commit will deprecate the QOAuth2AuthorizationCodeFlow
property and mark it for removal in Qt 7.
There were no tests for the accessTokenUrl property and the related
signal, so create a new test that checks both old and new properties.
[ChangeLog][QAbstractOAuth2] Added tokenUrl property that holds the
token endpoint URL.
Task-number: QTBUG-132106
Pick-to: 6.9
Change-Id: I4e680e1013093041dcd3fa4f06e24b83cec83fc3
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Detect case where refresh threshold is larger than token lifetime
- Distinguish between client-side and server-side refresh timer
updates in order to handle timeouts appropriately. An immediate
refresh should only occur if initiated by client-side, in which
case it happens only once (after that, the next update is
initiated by server-side)
- Minimum timeout value to avoid unthrottled refresh loop in case
of a server misconfiguration
- Simplify auto test cases by combining the two cases into a single
data-driven case
- Single out two corner-case autotests
Pick-to: 6.9
Change-Id: Ia538e8b308564dc6f3e42103d72e724bbf226b69
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add automatic token refresh for expiring tokens in
Device Flow class, if a refresh token is available.
This functionality, previously implemented in
Authorization Code Flow class, has now been extended
to Device Flow following its merge.
Add additional check for QOAuth2AuthorizationCodeFlow
preventing unintened automatic refresh attempts.
Pick-to: 6.9
Task-number: QTBUG-130844
Change-Id: I175abd0769d60d5440a3e84dc57d6f3d00193e41
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Making them inline prevents violating ODR (C++17).
- Making them constexpr makes initialization compile-time.
- Making them L1 makes them a bit lighter.
- Renaming them as QtOAuth2RfcKeywords makes the purpose clear
at a glance.
- Keeping declaration/definition in one place makes code easier
to follow.
- Moving outside of QAbstractOAuth2Private class removes the need
for "using Key = QAbstractOAuth2Private::OAuth2KeyString"
Change-Id: I9a6ecc579c95ab26e3941bfe90a5ce04f123fd38
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the convenience of automatically refreshing an
expiring access token, if a refresh token is available.
QAbstractOAuth2 class provides accessTokenAboutToExpire
signal and autoRefresh and refreshThreshold properties
for this.
[ChangeLog][QAbstractOAuth2] Added new accessTokenAboutToExpire()
signal, and autorefresh and refreshThreshold properties.
Fixes: QTBUG-124332
Change-Id: I55f4333abfbed25de11688d5c20650d433a650de
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently added ability to modify token requests is also applicable to
the new 'device flow' class's authorization requests *), so not just
about token requests. Hence abstract the name to concern network
requests. This should also be more future proof in case adding new
flows in the future.
*) The pre-existing QOAuth2AuthorizationCodeFlow class
does the authorization with browser/user-agent interaction, whereas
with device flow it's done with a HTTP POST request/response.
Amends: 235f475c560224295facb5473034e6d4d0188c95
Change-Id: If4d470bc5660d8cc8ef51abe8533c02134e72305
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
| |
This way it can be shared with the upcoming device flow implementation.
Change-Id: I086dd0de04d7a8fe3681cbb6dd7b48b0d5df3fd7
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
| |
This way it can be shared with the upcoming device flow implementation.
Change-Id: Ib5fd90f8f0e172068c383e3771624823573c08c8
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
| |
This way it can be shared with the upcoming device flow implementation.
Change-Id: I0dcd20dcb84b5af2e57f592b99fe82d04470ffe7
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
| |
This way it can be shared with the upcoming device flow implementation.
Change-Id: Ia1cc64f88e216ed6206695aa70d71b60b2f90fec
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Extra tokens only contains token that aren't handled.
Amends: 4209cedd6ce5ef2f6ab595b2207713d8bff2bed6
Change-Id: I9fc560c42c56e01be51fae77ff3b6fe423333817
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
State parameter is consumed by the flow class and should not be in the
extraTokens property. The documentation of the property is not clear
on this, but this would be in line how access token response populates
the extraTokens: only leave tokens that are considered extra.
[ChangeLog][OAuth2] received state parameter is no longer provided in
extraTokens property.
Change-Id: I157bc33f4caf3c5d8bde538d33f257b20d2593eb
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
QAbstractOAuth defines 'extraTokens' property with change signal.
However it seems the signal is never emitted. This commit adds
the emission of this signal.
Pick-to: 6.8 6.5
Change-Id: I20c5d875cd5337daa1290670f241c9814787f998
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using just error as a signal name makes things confusing as it sounds
rather like a getter name (e.g. lastError from QSqlQuery). It has been
decided quite some time ago to use errorOccurred as a replacement in
other placed in the Qt code base as this name makes it clearer that an
error happened and is more in line with the Qt standard that wants clear
naming.
[ChangeLog][QAbstractOAuth2] The error signal is now deprecated and
replaced by errorOccurred. This will make the code handling errors
clearer to write and read.
Change-Id: Ibd6a4056735f6e9e4bec32525a2576cf41579a08
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds means to set a callback that is called
just prior to sending out either access token or refresh
token requests. This allows making any necessary adjustments
to the QNetworkRequest, in case the token endpoint requires
some specific headers or other values.
[ChangeLog][QAbstractOAuth2] Added new function setter for modifying
token network requests
Fixes: QTBUG-65309
Change-Id: I7ab99dac891c30e1d3bcc967a879c07e35e7ba85
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds convenience for getting OpenID Connect (OIDC)
ID tokens. This change consists of:
- New 'ID token" property 'idToken'
- Update for token error handling
- Overview documentation paragraph covering
current OIDC support in Qt
It should be noted that this commit does not introduce
support for validating the ID tokens, which is a crucial
step in many use cases.
[ChangeLog][QAbstractOAuth2] Added new 'idToken' property
for accessing OIDC ID tokens
Fixes: QTBUG-124334
Change-Id: I404cb033dd003861b6e8413dfcb08fa75a0a699e
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenID Connect token acquisition is a thin layer on
top of OAuth2 flows. In practice this often requires
using 'nonce' parameter, which is used to associate
authorization (authentication) with the supplied ID
token. Some vendors either refuse or require additional
security credentials if 'nonce' is omitted with
OIDC flows.
This commit introduces two facilities to make usage
of 'nonce' easy:
- Mode to control whether or not the nonce should be
included
- Property for reading (and optionally setting) the
nonce
The default nonce mode is 'automatic', meaning that
nonce is only used if required by OIDC flow.
[ChangeLog][QAbstractOAuth2] Added 'nonce' property and
'NonceMode' enum for using nonce in the flows.
Fixes: QTBUG-124336
Change-Id: I21a9a344a1bd1d8f440677f3c9335ce4df089a3f
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
| |
As a general practice it's better not to log anything that may contain
sensitive data.
Pick-to: 6.8 6.7 6.5
Change-Id: I478d9bd7085815b84037c9d28721829288192b45
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
The local variable 'grantedScope' shadows same-name variable
in QAbstractOAuth2Private. Doesn't cause active harm at the
moment, but can lead to confusion later.
Amends: 571b71763c0485778623139359acc88985099efb
Change-Id: Ida92d42e8a5f0ff5ff30d18eabd60190cd4a9153
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
| |
The replacing 'requestedScope' and 'grantedScope' provide better
separation of roles, and also allow using string lists, making
for example checking the granted properties more convenient.
Change-Id: I51cebaffa7fbc97c64993d5b1d7bf932a35d0bc7
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use encoding defined by RFC 6749 4.1.1 Authorization Request.
The pre-existing implementation worked with internally
generated random states, but had trouble especially with
characters such as + and space ' ' which the user may
set manually.
I tested this against for major public Authorization
Server providers, and with this patch they work
with states like "foo %b+ar" (all of them don't
work without this patch).
Pick-to: 6.8 6.7 6.5
Fixes: QTBUG-104655
Change-Id: I849dd720c287e74f30be3fd7b1e631871ade9c12
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pre-existing 'scope' property serves two roles concurrently,
first as the 'requested' scope, and later as the 'granted'
scope. These scopes commonly differ.
This commit introduces two new properties to provide a cleaner
separation between the two:
- The requestedScope holds the scope the user requests.
- The grantedScope holds the scope granted by the authorization
server. The requested and granted scopes may differ, and it is
useful for applications to be able to adapt their behavior
accordingly.
All new code is advised to use these properties, and the original
'scope' property should be deprecated.
[ChangeLog][QAbstractOAuth2] Added new 'grantedScope' and
'requestedScope' properties to provide clean separation between
requested and granted scopes.
Fixes: QTBUG-124330
Change-Id: Ib2cc642722e4bce578d91b48acd0d549cf70a64f
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The implementation set the 'scope' unconditionally to scopes
the authorization server returned in access token response.
The returned and requested scopes can differ, and a server might
also omit the 'scope' altogether, causing the Qt classes 'scope'
to be just cleared.
The scope behavior is specified by OAuth2 RFC 6749, chapter 5.1.
Returning differing and empty scopes is common and acceptable.
In case of empty scope, we can assume that the server granted
the scope that was requested.
Furthermore amend the 'scope' property documentation to reflect
these two roles it serves. In a later Qt version we should
introduce two new properties which clearly separate these roles.
[ChangeLog][QAbstractOAuth2][Important Behavior Changes]
If the authorization server returns an empty 'scope' response,
the requested scope is not cleared anymore. Instead, it is
assumed that the requested 'scope' was granted.
Pick-to: 6.8 6.7 6.5
Fixes: QTBUG-66415
Change-Id: I0685507c3ac7633fcf1d177958ba45ec6fd87bd2
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This prevents accidental narrowing on the call-side (and isn't slower
than passing a shorter integer, which is the reason we don't use
qint64 here).
Found in API-Review.
Pick-to: 6.8
Change-Id: I9c0cdc67ddf9d5d1bd6ccdbc8d860ffa874daf33
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
| |
Task-number: QTBUG-124326
Change-Id: I2d9443b9356264e5089f490a0c75a939ce24d14d
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
QAbstractOAuth baseclass provides replyHandler()
method which returns the reply handler user has set,
or a default handler (oob) if none has been set.
Parts of the implementation however mixed the use of
replyHandler() and the underlying user-settable pointer
directly. This caused "nullptr warnings" with
Q(Private)Object connects.
This commit changes such that only replyHandler() is
used systematically in OAuth2 implementation.
Fixes: QTBUG-124326
Change-Id: If222bde03939ae5a04e4b323774a916a8a57c646
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'redirect_uri' parameter is not needed in token refresh request.
This is as per RFC (6749 Section 6 Refreshing Access Token).
In terms of use cases, the token refresh can occur days or weeks
after the original authorization request. Thus having a reply handler
around which returns the same redirect_uri is probably not a
reasonable assumption (applications can avoid authorization
altogether if they already have a refresh token).
[ChangeLog][QOAuth2AuthorizationCodeFlow] redirect_uri parameter is no
longer included in access token refresh request
Task-number: QTBUG-124333
Change-Id: I4a8e2134329e11523483936d1f1d10bf7ff38b92
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PKCE (RFC 7636) is a MUST in RFC 8252 which lays out OAuth2
best practices for native applications.
PKCE mitigates the risk of authorization code intercepting.
PKCE is only relevant for OAuth2 "Authorization Code" flow,
which is the only OAuth2 flow Qt supports out of the box.
The S256 method is set as the default. Sending out the
PKCE parameters should not cause harm even if the
authorization server didn't support them.
[ChangeLog][QOAuth2AuthorizationCodeFlow] Added PKCE support
and turned it on by default
Fixes: QTBUG-124327
Change-Id: Ic0242be1b8afcd9baa3ff071989d58ddabf753a2
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google recently changed the way they send their code and it is now
already percent encoded. This patch checks for the percent presence in
the code and does not change it again if it's there.
The alternative is to use:
google = new QOAuth2AuthorizationCodeFlow;
// Setup authentication parameters
google->setModifyParametersFunction(
[](QAbstractOAuth::Stage stage,
QMultiMap<QString, QVariant>* parameters) {
if (stage == QAbstractOAuth::Stage::RequestingAccessToken) {
QByteArray code = parameters->take("code").toByteArray();
parameters->insert("code", QUrl::fromPercentEncoding(code));
}
});
[ChangeLog][OAuth2] OAuth2 providers might be sending the authentication
code already percent encoded. This is the case of Google. This now a
supported use case and the code is not systematically encoded anymore.
Fixes: QTBUG-81624
Change-Id: I43d66223a2aedf01fe0996de6798acc6d881c16b
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
This disables the 3-arg QObject::connect() overload:
QObject::connect(sender, signal, functor)
For details see:
https://lists.qt-project.org/pipermail/development/2023-July/044141.html
Change-Id: If6e8d202b114d053933fc1dcab5b99377c67a879
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Also, document how network replies passed to QAbstractAuthReplyHandler
are deleted.
Pick-to: 6.6 6.5
Change-Id: Id504776d0111f67dd3206b13e5ba3ccce1ca9be4
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To be better in line with the other signals (that is, end
the signal name with a 'verb').
Amends: 32f29d3e227da206f262efa055d1cac895855a98
Pick-to: 6.6
Change-Id: I8f76d526b124842d0982e74af0dc76d8bdc46f37
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The OAuth2 authorization and access token requests can fail for a number
of reasons, both network and authorization server related. These errors
are reported as a log output, leaving the application unaware.
In addition since the refresh token errors were not handled, a failed
refresh attempt left the OAuth2 class in a "refershing token" status
without proper means for application to recover.
This commit harnesses the pre-existing QAbstractOAuth::requestFailed()
signal for reporting these issues. It's used by OAuth1 implementation
for similar purpose.
This consists of:
- Document the requestFailed() signal
- Add new QAbstractOAuthReplyHandler::tokenRequestError() signal,
which reply handlers can emit upon error
- Connect AuthorizationCodeFlow class to that signal and handle it
- Implement error emission in OobReplyHandler, which is used by
the examples (via HTTPReplyHandler)
- Autotests
[ChangeLog][QAbstractOAuth] Add token request error signal and
improve related error handling
Fixes: QTBUG-102279
Fixes: QTBUG-106821
Change-Id: I4dc14aa237d92bd1a2ba830c349cae4121be2e57
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifying a custom TLS configuration is necessary when it is required
to establish a Mutual TLS connection between the client and the
Authentication Server.
[ChangeLog][QAbstractOAuth2] Introduce a new sslConfiguration parameter
which allows to specify a TLS configuration used during the
authentication process.
This patch also applies the new parameter to
QOAuth2AuthorizationCodeFlow class.
Fixes: QTBUG-88325
Change-Id: I5daac3d97e4df1ecc35597e168a2d111881d704a
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Replace the current license disclaimer in files by
a SPDX-License-Identifier.
License files are organized under LICENSES directory.
Pick-to: 6.4
Task-number: QTBUG-67283
Change-Id: Ic012e87171ed4cef6871eff7d76f56994ea3ca1f
Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
|
