Joocial OAuth authorization

To start a communication and perform operations on a Joomla! CMS, Joocial requires an OAuth authorization to grant access to the social management action.

The environment where OAuth authorization is performed can be characterized in the following way:

  • Joocial Composer App:
    • It shows an login form, loaded from an external URL Domain,
    • with a Consumer Key and Consumer Secret are defined
  • Joocial extension, a Joomla! CMS extension with:
    • A login page, where user enters the username and password to be authenticated to generate an access token
    • An API page, the main API entry point

According to this implementation, these are the specific assets where the authorization is generated:

  • Joocial Composer App
    • www/templates/tab-login.html
      • Form where URL Domain, Consumer Key and Consumer Secret are defined by user
  • Joocial extension
    • components/com_autotweet/views/mlogin
    • components/com_autotweet/controllers/mapi.php

When user initiates a login from the mobile application, these steps are taken to grant the access:

  • In a first step, the application request a "login" token and redirects the user to login page to authorize the mobile access
  • When the access is authorized, user is redirected back to the app with a "temporary" token to communicate the successfully authorization
  • Finally, the app converts the temporary token to the final "access" token that must be included in every API call

appFactory is the main object that provides the communication services.

  • login(), function to call login API either from mobile app or desktop
  • logout()

appFactory receives the connection parameters from an appSession object and, when the authorization is completed, appSession stored the access_token for future accesses.

If there is a valid access_token, every API call is signed to authenticate the source.

JoomGap appSession is a session object, a JG Library Session manager. It handles the access and persistence of these variables:

  • base-url-domain
  • api-protocol
  • consumer-key
  • consumer-secret
  • access_token (if user has already authorized the application)

In Joocial, there are two pages to receive the API call and manage the user login. These are the pages:

  • API entry-point: index.php?option=com_autotweet&view=mapis&task=run&format=json
  • Login form: index.php?option=com_autotweet&view=mlogin&tmpl=component

Following the previous workflow description, these are the authorization function calls, via JG Framework / OAuth authorization factory:

  • JgOAuth - login() - First Step
    • index.php?option=com_autotweet&view=mapis&task=run&format=json
    • request_token - AutotweetControllerMapis->getRequestToken()
  • JgOAuth - login() - Second Step - Login form
    • index.php?option=com_autotweet&view=mlogin&tmpl=component
  • JgOAuth - login() - Final Step

    • index.php?option=com_autotweet&view=mapis&task=run&format=json
    • access_token - AutotweetControllerMapis->getAccessToken()
  • JgOAuth - logout()
    • index.php?option=com_autotweet&view=mapis&task=run&format=json
    • logout - AutotweetControllerMapis->execLogout()

What is the role of the "plg_system_joocialgap" plugin? In Joocial design, this plugin implements JoomGap library (JgOAuthServer and JgOAuthSessionTokenStore) as separated download. In other extensions, JoomGap library can be packaged in your extension itself, inside the internal structure (without the additional plugin).

We welcome feedback! Leave a comment by clicking the icon in upper right corner of the banner.