Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-113218

Qt Network Authorization module improvements

    XMLWordPrintable

Details

    • Epic
    • Resolution: Unresolved
    • P2: Important
    • None
    • 6.5
    • None

    Description

      A container Epic for improving qtnetworkauth module.

      These are preliminary thoughts based on a brief looking into, requiring further validation.

      General

      • Groom and analyze Jira bugs and suggestions. They provide things to fix and ideas to improve
      • Improving existing Reddit example (for instance plenty of unused code)
      • Introducing new examples for major vendors like Google and Microsoft
      • Documenting the public API where lacking (at least HTTPReplyHandler, and also missing signals and functions elsewhere). No need to cover 100% (eg. OobHandler) but focus on APIs that are relevant for developers
      • Overview and tutorial documentation to OAuth2 usage, and tutorial documentation for creating ReplyHandlers
      • Create test suite that implements a local Authorization Server to allow developers
        testing full sequences (including browser invocation) without creating accounts on twitter reddit etc.
        Also allows testing arbitrary errors. This may be auto test or manual test, the requirement is to be able
        to launch a browser successfully (manual interaction with the browser by user can be omitted)
      • Move from manual QTcpServer usage to QHttpServer in tests and HttpReplyHandler
      • With HTTPServerReplyHandler instead of replying directly "200 OK", redirect the browser to a local "all ok" page. This way any potential sensitive information will not remain in the browser URL field.

      New features

      • SSO / OpenID Connect and SAML
      • Possibly OAuth2 ImplicitFlow support RFC 8252 NOT RECOMMENDED for native apps
      • Helper functions eg. to token expiration checks (isValid() & aboutToExpire() & expired() signal?)
      • Analyze the OAuth2 state handling, it seems fragile
      • OAuth2 QML bindings, useful in particular if we improve other QML client-side networking facilities

      Architectural considerations (breaking / earliest Qt 7)

      • Flattening and simplifying the inheritance hierarchies
      • Dropping OAuth1 support
      • QAbstractOAuth provides HTTP get() convenience methods that basically set for example "Authorization: Bearer" HTTP header, but should it really be part of the OAuth classes or even part of the module?
        Or should the role of this module be more simply on access control and providing tokens
      • Aligning of APIs with other Qt connectivity/networking APIs, things like errorOccurred() etc.
      • grant() to provide a return value indicating if the process started successfully (possibly something that'd be usable with async/await later on)

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              cnn Qt Core & Network
              vuokko Juha Vuolle
              Vladimir Minenko Vladimir Minenko
              Alex Blasche Alex Blasche
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes