Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    BackendApplicationFlow or LegacyApplicationFlow with kopano-konnectd possible?

    Development
    2
    4
    443
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marlemion
      marlemion last edited by

      Hi,

      I am looking for a way to get our python program using python-kopano to be ported to windows. I was told that the new Grapi using konnectd/kapi would the way to go (python-kopano obviously is not available on Windows). So our IT provider installed a test version of kopano-konnectd and others (running Meet and the Webapp). I have also figured out how to retrieve a token and use it to access contents.

      However, the authorization grant type used is the WebApplicationFlow (referring to https://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html#web-application-flow). This flow requires to access a webpage, which redirects to a certain predefined url upon login. This is obviously the route to go for a web application. However, the application we are developing is not a web application. Rather, it is an application trying to access just one specific mailbox. Parts of the application run in cli mode only, so no possibility to direct to an url. Further, mostly, the program will run in server mode. Hence, no interaction possible.

      Wen trying to get the other ApplicationFlows working, I only get an “unsupported grant_type value” error, which is rather self explanatory. And indeed, when looking at the code of token.go it seems that only two flows are supported:

      case oidc.GrantTypeAuthorizationCode:
	// breaks
case oidc.GrantTypeRefreshToken:

      Hence, I would need to know, if I am right that kopano-konnect is not able at the moment to allow for a non-browser login (and if so I wonder why grapi has been advertised as a replacement for python-kopano on windows). If I am wrong, I would need a pointer in the direction to go to make this happen.

      Thanks in advance and best regards,

      m.

      longsleep 1 Reply Last reply Reply Quote 0
      • longsleep
        longsleep Kopano @marlemion last edited by

        @marlemion

        None of the flows which involve knowledge of user credentials by the application itself are supported by Konnect. Like you already found, this is intentional and refered to as the so called “legacy flows”.

        If you have a server application which wants to access data on behalf of a certain user, the user must grant access to this server application using one of the supported flows. For native application, you can use the backend application flow to do just that.

        At some point the backend application must present a web login to the end use which requests the users consent that this backend application is allowed to access the personal user data as requested by the provided claims.

        Getting access to the API without a user is currently unsupported (client credentials grant flow) but on our roadmap for Konnect.

        Having that said, even without involving a particular user directly, you could create a service user inside the backend system and do the web based authentication flow using a service script which ultimatively can result in a refresh token which your backend application then can store and use it to exchange it for fresh access tokens as needed. Find an example for a script doing that at https://stash.kopano.io/projects/KC/repos/kapi/browse/test/get-access-token.py

        marlemion 1 Reply Last reply Reply Quote 0
        • marlemion
          marlemion @longsleep last edited by

          Hi @longsleep,

          Thank you very much for the detailed explanation. So I am eagerly looking forward to a client_credentials grant implementation in Konnect! Let me know if you need testing support.

          The script you mentioned is actually already used by my test setup to log into konnect and make grapi requests. However, the json reply never has a REQUEST_TOKEN. This seems to be reflected by that snippet in the script (I use ‘env’ at the moment to dump the json data to a file):

                  elif flags.format == "env":
            print("TOKEN_VALUE={}".format(token["access_token"]), file=output)
            print("EXPIRES_AT={}".format(token["expires_at"]), file=output)
            print("EXPIRES_IN={}".format(token["expires_in"]), file=output)
            print("TOKEN_TYPE={}".format(token["token_type"]), file=output)
            rt = token.get("refresh_token")
            if rt:
                print("REFRESH_TOKEN_VALUE={}".format(rt), file=output)
            it = token.get("id_token")
            if it:
                print("ID_TOKEN_VALUE={}".format(it), file=output)

          So obviously, the script tries to get the REFRESH_TOKEN but in my case cannot retrieve it.
          What do I need to do, to get the REFRESH_TOKEN? For now I only receive an ID_TOKEN.

          Did I understand you correctly that once I have such a refresh token, I simply use it to get an access token? Or would I have to do the user grant each time the refresh token has expired (if it expires)?

          Thanks!

          longsleep 1 Reply Last reply Reply Quote 0
          • longsleep
            longsleep Kopano @marlemion last edited by

            @marlemion said in BackendApplicationFlow or LegacyApplicationFlow with kopano-konnectd possible?:

            However, the json reply never has a REQUEST_TOKEN.

            If you don’t get a request token back, you most likely do not request one (in OpenID Connect this is controlled by requesting the offline_access scope (see https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post