Implement authenticated access for Public Clients (Authorization Code Grant)

[sebgie]

This belongs to the OAuth Epic: #4004 - please read this for the big picture of what this issue is for :)

---

In order to allow installed and web applications to execute authenticated request against the Ghost API we need to implement the Authorization Code Grant (RFC 6749 4.1) flow:

• The application initiates the authentication process by redirecting the browser to the Ghost authentication endpoint using the following request.
  • response_type: 'code'
  • client_id: client_id generated by Ghost
  • state: random value to prevent CSRF
  • redirect_uri: redirect uri must exactly match one of the values listed for this client
  • scope: tbd

GET /ghost/authorize?response_type=code&client_id=<client_id>&state=<random-value>
        &redirect_uri=<redirect_uri>

• Ghost verifies the validity of client_id and redirect_uri
• User authenticates with username and password
• Ghost redirects the user back to the client

Success redirect:

HTTP/1.1 302 Found
     Location: <redirect_uri>#code=<code>&state=<state-from-request>

Error redirect:

HTTP/1.1 302 Found
   Location: <redirect_uri>#error=access_denied&state=<state-from-request>

• The client needs to ensure that the state parameter is the equal the one sent to the server.
• The client application now issues another request to get a valid access token from the temporary access code.
  • grant_type: 'authorization_code'
  • code: code received from the authorization process
  • redirect_uri: redirect uri must exactly match one of the values listed for this client
  • client_id: client_id generated by Ghost
  • client_secret: client_secret generated by Ghost

POST /token
     Content-Type: application/x-www-form-urlencoded

     grant_type=authorization_code&code=<code>
     &redirect_uri=<redirect_uri>&client_secret=<client_secret>

• If the access token request is valid and authorized, the server issues an access and refresh token to allow the client authorized access to the API

{
    access_token: <access_token>,
    token_type: "Bearer",
    expires_in: 3600,
    refresh_token: <refresh_token>
}

• The client can now access the Ghost API using the access token.

An example on how to implement the implicit code grant flow can be found at https://github.com/jaredhanson/oauth2orize.

[juanpaulo]

I think you missed the client_id parameter in the POST /token snippet.

[ErisDS]

I'm closing all OAuth and most API issues temporarily with the later label.

RE: OAuth, for the next 2-3 months we'll be implementing an official Ghost OAuth login system, providing global access to all Ghost blogs with a single login. We'll be opening issues around this system soon, and I don't want to cause confusion with OAuth for the API.

JSON API Overhaul & OAuth access are currently scheduled next on the roadmap

[mirukuz]

@sebgie I'm currently building blog which requires access control for certain users (e.g. unauthorized users can only view limited amount of posts..), do you have any advice how can i make it work?