OAuth 2.0 spec defined in RAML?


#1

Is there a RAML definition of the OAuth 2.0 RFC? I see lots of RAML files that refer to using OAuth 2, but I am looking for a definition of OAuth 2.0 itself written in RAML. In other words, what would a RAML file look like for the OAuth2 authorization server itself?


#2

Do you mean something like that:

securitySchemes:
- oauth_2_0:
    description: |
        Dropbox supports OAuth 2.0 for authenticating all API requests.
    type: OAuth 2.0
    describedBy:
        headers:
            Authorization:
                description: |
                   Used to send a valid OAuth 2 access token. Do not use 
                   with the "access_token" query string parameter.
                type: string
        queryParameters:
            access_token:
                description: |
                   Used to send a valid OAuth 2 access token. Do not use together with 
                   the "Authorization" header
                type: string
        responses:
            401:
                description: |
                    Bad or expired token. This can happen if the user or Dropbox
                    revoked or expired an access token. To fix, you should re-
                    authenticate the user.
            403:
                description: |
                    Bad OAuth request (wrong consumer key, bad nonce, expired
                    timestamp...). Unfortunately, re-authenticating the user won't help here.
    settings:
      authorizationUri: https://www.dropbox.com/1/oauth2/authorize
      accessTokenUri: https://api.dropbox.com/1/oauth2/token
      authorizationGrants: [ code, token ]

#3

Thank you for your response. That is not quite what I was asking about. I was thinking more about a RAML file that documented what was defined in RFC 6749 and related specs.

I am new to RAML, but I think what you have shown is how to described using the RAML “securitySchemes” mechanism how to define what parameters are there and what they mean.

I was more curious if there was a RAML definition of OAUth itself (when gets are used vs. posts, etc.)


#4

I don’t think that is something possible. Maybe someone else can jump on this as well cc @Aldo_Bucchi


#5

@christian_vogel (or anyone else that might know) Is there a way to customize the OAuth2 security scheme? Specifically, adding a realm without appending it to the URI for auth?